FWIW, it seems to me like, if the HTTP verb being used is, in fact, “POST”, then a more appropriate term for the proposed fix for the identity correlation problem identified last week would be “GET-as-POST” rather than “POST-as-GET”.
“POST-as-GET” sounds to me like the actual HTTP verb is a GET, but we’re shoehorning what would normally be a POST over that request. The opposite, of course, is what is proposed: a POST with an uninteresting payload is being sent to simulate a GET but with the authentication of a POST. The pattern of a GET is being sent “as a POST”. Alternatively, would it make sense to define a new HTTP verb, e.g., “FETCH”, for this? -FG _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
