W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2006

Re: Extension methods & XMLHttpRequest

From: Joe Gregorio <joe.gregorio@gmail.com>
Date: Sat, 10 Jun 2006 22:48:29 -0400
Message-ID: <3f1451f50606101948q5481da15j12215dfae1bbb1df@mail.gmail.com>
To: "Mark Baker" <distobj@acm.org>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>

On 6/10/06, Mark Baker <distobj@acm.org> wrote:
>
> Folks,
>
> The W3C WebAPIs WG is attempting to standardize the XMLHttpRequest
> Javascript object[1], and part of that work involves deciding how to
> handle extension HTTP methods.
>
> Some of the WG is interested in establishing a "whitelist" of methods
> deemed safe at the time of publication of our spec, with the intent
> that all other methods would be disallowed.

The 'white list' approach is similar to the approach taken
by HTML forms which allows only GET and POST and which
has been disastrous, impeding progress on full usage of HTTP and
hobbling other specs that came later that tried to use methods
beyond GET and POST such as WebDAV. Please don't use a white-list.

> Others would prefer a
> "blacklist", whereby we specify that methods known to be a security
> problem (in the context of the use of XHR, e.g. CONNECT) not be used,
> but that unknown methods be allowed.

That would be a much better approach, and easier to explain, since
it matches the 'blacklist' approach taken by the XMLHttpRequest
specification with respect to HTTP headers.

  -joe

-- 
Joe Gregorio        http://bitworking.org
Received on Sunday, 11 June 2006 02:48:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:44 GMT