W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2006

Re: Extension methods & XMLHttpRequest

From: Jamie Lokier <jamie@shareable.org>
Date: Sun, 11 Jun 2006 05:06:06 +0100
To: Lisa Dusseault <lisa@osafoundation.org>
Cc: Mark Baker <distobj@acm.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20060611040606.GA27946@mail.shareable.org> 

Jamie Lokier wrote:
> Therefore to prevent subversion of HTTP message boundaries,
> XMLHttpRequest should prevent:
> 
>     - The CONNECT method
>     - Setting the Upgrade header
> 
> I don't see any reason to disallow any other request methods.

Come to think of it, what about TRACE?

Google for TRACE and XMLHTTP.  The top results reveal some cross-site
scripting vulnerabilities whereby a script can deduce cookie values
that it shouldn't by using TRACE with Microsoft's equivalent to
XMLHttpRequest.

However Googling for TRACE and XMLHttpRequest, the top results reveal
that TRACE is usefully used.

-- Jamie
Received on Sunday, 11 June 2006 04:21:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:22:14 GMT