W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2006

Re: Extension methods & XMLHttpRequest

From: Jamie Lokier <jamie@shareable.org>
Date: Sun, 11 Jun 2006 05:06:06 +0100
To: Lisa Dusseault <lisa@osafoundation.org>
Cc: Mark Baker <distobj@acm.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20060611040606.GA27946@mail.shareable.org>

Jamie Lokier wrote:
> Therefore to prevent subversion of HTTP message boundaries,
> XMLHttpRequest should prevent:
>     - The CONNECT method
>     - Setting the Upgrade header
> I don't see any reason to disallow any other request methods.

Come to think of it, what about TRACE?

Google for TRACE and XMLHTTP.  The top results reveal some cross-site
scripting vulnerabilities whereby a script can deduce cookie values
that it shouldn't by using TRACE with Microsoft's equivalent to

However Googling for TRACE and XMLHttpRequest, the top results reveal
that TRACE is usefully used.

-- Jamie
Received on Sunday, 11 June 2006 04:21:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:39 UTC