The new HTTP QUERY method explained

Posted by CommonGuy 19 hours ago

The new HTTP QUERY method explained(kreya.app)

210 points | 159 commentspage 3

sylware 13 hours ago|

This looks like a effort to inject some planned obsolescence in HTTP more than anything else.

restful2 15 hours ago||

This breaks rest/crud.

tumetab1 15 hours ago||

It can actually improve because the semantics which currently are weird, GET is used for Search (Query), listing and also Get resources.

Garlef 14 hours ago|||

So what?

This is about HTTP.

And it does not break REST: None of the HTTP constructs that REST is built on change due to the introduction of QUERY.

Yes: If you're doing QUERY, you're (potentially) not doing CRUD.

But this enables a clean way to do CQRS over HTTP.

lightningspirit 11 hours ago|||

How does this break rest?

UnfitFootprint 15 hours ago|||

Is it not just READ? As for rest, why?

bazoom42 15 hours ago||

How so?

acimen101 17 hours ago||

[flagged]

hparadiz 18 hours ago||

[flagged]

flanked-evergl 18 hours ago|

No, it does not feel like that.

hparadiz 17 hours ago||

My framework is already two decade old prior art and you still haven't actually convinced me that this RFC solves a problem.

rmunn 17 hours ago||

1. Sometimes you need a request body. 2. POST cannot be guaranteed to be safe if re-sent. 3. This is GET with a request body, guaranteed* to be safe if re-sent.

* With the caveat that it's only guaranteed if the server is following the RFC correctly.

LaGrange 17 hours ago|||

I will keep using POST and not some weird thing that isn’t supported by a proxy living in the basement of a shoe store in Wageningen or whatever.

PunchyHamster 17 hours ago||||

> POST cannot be guaranteed to be safe if re-sent.

It can absolutely be guaranteed. What it can't be is communicated to be safe so browser gonna ask its silly question

broken-kebab 15 hours ago||

You can guarantee it to yourself, sure, but the talk is about different guarantees, those which are implied by people who has no idea about your plans and opinions but whose software may interact with yours.

hparadiz 17 hours ago|||

I read the RFC front to back. It is lazy. To the point where I'd be embarrassed to even show it to people.

For one you would never allow a client to dictate the query. That is a security and validation problem. So you have to deconstruct the query anyway and then rebuild it. That's HTTP APIs 101. Now if the authors of this RFC knew what they were doing they could enforce trust with some sort of JWT like trust mechanism but no they don't bother to define ANYTHING like that. Instead and I will quote this for completeness because it's honestly one of the funniest things I've ever read in an RFC.

> 4. Security Considerations

> It can be used as an alternative to passing request information in the URI (e.g., in the query component). This is preferred in some cases, as the URI is more likely to be logged or otherwise processed by intermediaries than the request content. In other cases, where the query contains sensitive information, the potential for logging of the URI might motivate the use of QUERY over GET.

This. This is just plain baffling to me. The argument is that QUERY replaces GET (it doesn't) so let's shove data into the same place that POST already does because it MAY MAY be logged. Bro the people doing the logging are logging the entire damn thing URI, Header, and Body. What even is this.

And again if they knew their shit they would know that GET has a soft cap of 2,083 characters from the internet explorer days so no one shoves more than that into a url for compatibility and if they do they risk losing data so they use POST anyway. Heck my framework even does JSON post bodies in the POST. And again if you are writing an RFC do your research and use this technical fact as an advantage. Define your own limits and explain why based on existing methodology. It would actually give your RFC some weight.

It doesn't even bother to address query feedback errors like what if the disk says no and writes are locked.

Frankly...... I miss the old days when RFCs where measured in pounds of paper.

antiloper 15 hours ago|||

Yes servers have to validate input data... This isn't new...

flanked-evergl 16 hours ago|||

> For one you would never allow a client to dictate the query. That is a security and validation problem. So you have to deconstruct the query anyway and then rebuild it.

Every single SQL server allows a client to dictate the query. Furthermore, not all queries are SQL queries.

hparadiz 16 hours ago||

[flagged]

flanked-evergl 15 hours ago||

What does "some random third party" have to do with any of it? An SQL server can expose HTTP directly. SQL is not the only query language that exists.

SPARQL's standard protocol for sending Queries uses HTTP[1], and yes, of course it allows clients to define the query that it sends over HTTP. HTTP QUERY would be ideal for SPARQL queries. There are also many unprotected SPARQL endpoints that you can use without any authentication [2][3].

[1]: https://www.w3.org/TR/sparql11-protocol/#query-operation

[2]: https://sparql.dblp.org/

[3]: https://data.europa.eu/en/about/sparql

hparadiz 15 hours ago||

This thread is for an RFC that is less than 3 pages and solves no problems that exist. I'm tired of having to pretend like every idea on the internet is a good one.

kortex 13 hours ago||

This RFC (the concept behind it) has been in the works in one form or another since 2008

> The HTTP SEARCH method was first formally proposed in November 2008 within RFC 5323.

> Before it became a full RFC, the proposal progressed through the IETF under the working group draft name draft-ietf-httpbis-safe-method-w-body. Its formal journey began in March 2021 as an adaptation of the older SEARCH method (from WebDAV's RFC 5323), before being renamed explicitly to QUERY in later draft revisions.

There's no "pretending" this is a good idea, a ton of very smart people have spent a tremendous amount of effort refining this solution. It's incredibly well thought out.

hparadiz 13 hours ago||

The test of an RFC is whether people use it. Your example doesn't inspire confidence.

xxkcd 15 hours ago||

Don’t add new stuff (query). Instead fix the broken shit that’s already added (get). Sigh. Xkcd standards.

marc_vuit 16 hours ago||

nice man

nokeya 17 hours ago||

If it needs so much explanation and discussion, maybe it is not a great idea after all?

reddalo 17 hours ago||

The article describes the current situation first. The whole explanation is quite simple: QUERY requests are the same as GET, but they have a body.

someguynamedq 17 hours ago||

So just add an optional body to get

dxdm 15 hours ago||

The article also addresses why this is not the chosen solution. It's pretty much the first one you'd think of: all kinds of existing software (that can be between client and server and out of their control) already handle GET bodies in all kinds of incompatible ways, because the existing standard says they're meaningless and "shouldn't" be included. The idea is to not break people's stuff, so they don't rugpull the established standard.

There's usually a reason why the simplest solution that pops into one's head is not "just" used by the people who put a lot more thought into it. Not always, but it can be useful to try to come up with it.

topham 13 hours ago||

So, I need to update all the tools to support QUERY, or I need to update all the tools to support GET/body.

So, either way, I need to update all the tools.

Just fix GET.

Ghoelian 11 hours ago||

The point is that if you do that, you end up with lots of undefined behaviour in existing software that has not been patched yet.

If you make it a whole new request method, existing unpatched software should just respond with "Method not allowed".

topham 9 hours ago||

Which means you have to structure everything around multiple scenarios anyway.

flyingshelf 16 hours ago|||

Arguably the only explanation you need is that "QUERY is the same as GET plus a body". The article just explains what GET is and isn't, but that can be implied.

lightningspirit 11 hours ago|||

I don't think this requires so much discussion; it is a very obvious and simple addition, IMO.

IshKebab 16 hours ago||

It doesn't really need that much explanation though. TL;DR: It's GET but with bodies officially supported.

Rapzid 16 hours ago||

Body is already optional with GET. Proxies aren't supposed to touch it or assign meaning to it; it's between the client and the end server.

A whole new method whose semantics don't really fit with the others is.. An odd way forward.

CommonGuy 16 hours ago||

Proxies are allowed to drop bodies of HTTP GET requests.

RFC 9110 states:

> [..] content received in a GET request has no generally defined semantics, cannot alter the meaning or target of the request [..]

> A client SHOULD NOT generate content in a GET request [..]

degamad 14 hours ago|||

> ... unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.

You left out the important part.

lightningspirit 11 hours ago||

How does the origin server indicate that?

Rapzid 9 hours ago||

In or out of band. ie an API.

magicalhippo 15 hours ago|||

Even HTTP 1.0 RFC[11] is fairly clear on this, although it doesn't explicitly spell it out like RFC 9110. GET requests should only consider the Request-URI and request bodies should only be included if the method calls for it.

[1]: https://www.rfc-editor.org/info/rfc1945/

juliangmp 16 hours ago|||

Yeah I always disliked that there's this idea that you can't put a body on a GET request. Iirc openapi generators goes out of its way to not support that which has lead to me writing a small rant into an API specification before to explain why the get_xyz uses POST...

thewisenerd 16 hours ago||

semantics become extremely relevant when "proxies" start caching.

Rapzid 9 hours ago||

A lot of the RFCs are flavored by the lack of https and prevalence of forward proxies run by the ISPs to improve perceived speed and reduce their network loads.. Back in the day.

By my estimation, that's why they explicitly call out only the client and origin can know what a GET body means; proxies should forward as-is and ignore.

Those days of ISP forward http proxies are gone, but those semantics are still fine; the body means what the origin and client agree it means.

_alphageek 15 hours ago|

>> QUERY request can be cached

I have a weird feeling. Query body is encrypted by https. So CDN will not be able to cache results. In order to make it work right - whole topology of the internet should be redone. Caching on the backend server will not give any real gains for large scale apps.

CodesInChaos 15 hours ago|

The whole connection is encrypted by https, the request body is treated the same as the url, the headers or the response. The only unencrypted parts are the IP addresses/ports and the domain name (if SNI without ECH is used).

CDNs already terminate TLS connections so they can cache GET requests.

rileymat2 15 hours ago|||

I think a lot of people don’t know the http/1.x protocol from url (header) to body is a stream of text* separated by \r\n.

* the body may be compressed.

_alphageek 11 hours ago||||

[flagged]

vshulcz 14 hours ago|||

Even past the TLS point (CDNs terminate TLS, so they can read the body) there's a harder problem nobody's solved: to cache a QUERY the cache has to fold the body into the cache key, and there's no standard way to canonicalize a request body. {"a":1,"b":2} and {"b":2,"a":1} are the same query and two different cache entries; whitespace, float formatting, unordered keys all fork the key. GET gets this for free because the URL is already a normalized string. So "cacheable in principle" is real, but "actually cached" needs every layer to agree on a canonical form first - the same coordination problem that killed GET-with-body. I want QUERY for the honest semantics; I just wouldn't budget for cache hits yet

lightningspirit 11 hours ago|||

> {"a":1,"b":2} and {"b":2,"a":1} are the same query and two different cache entries

These two payloads are actually different. You're talking about semantics, which is determined by the payload format; in the case of JSON, these two are semantically similar.

> GET gets this for free because the URL is already a normalized string

It's the same principle; the order of properties matters too.

CodesInChaos 13 hours ago|||

I think the simple approach of using a bitwise comparison will result in satisfactory caching for most applications.

Yokohiii 11 hours ago||

Can you elaborate? Do you think the noted issues are non-issues that should be fixed in applications? Which would require a new standard to create stable JSON outputs, which is just one use case that can fail right now.