- From: Jamie Lokier <jamie@shareable.org>
- Date: Sun, 11 Jun 2006 13:27:53 +0100
- To: HTTP Working Group <ietf-http-wg@w3.org>
Anne van Kesteren wrote: > The problem is that new methods (similar to TRACE and CONNECT) could be > introduced which would require immediate patching to browsers. Are you sure it's possible to introduce new methods that have similar problems to TRACE and CONNECT? New methods must be compatible with existing deployed proxies, which means they have to be end-to-end don't they? And isn't the security of end-to-end requests a matter between the client and server applications? On a related but different note: XMLHttpRequest does not allow cross-domain requests. People are working around this constraint by using the old methods of IFRAME and fetching Javascript, because it is not (usually) subject to the same restriction. That means scripts are able to send GET and POST requests to any domain, but they have limited control over the method and headers sent and cannot examine the headers received. And parsing the returned value and being notified of when it's received are more difficult. Therefore how about this proposal: Relax XMLHttpRequest's constraints slightly to allow GET (only) requests to any domain, with the constraint that in this case it's not permitted to set arbitrary request headers or read most of the response headers. (Reading "Content-Type" should be allowed). -- Jamie
Received on Sunday, 11 June 2006 12:28:01 UTC