W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2006

Re: Extension methods & XMLHttpRequest

From: Mark Nottingham <mnot@mnot.net>
Date: Sun, 11 Jun 2006 09:29:55 -0700
Message-Id: <293038D7-2606-4A97-A028-8474C9ACB66A@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
To: Jamie Lokier <jamie@shareable.org>


On 2006/06/11, at 5:27 AM, Jamie Lokier wrote:

>> The problem is that new methods (similar to TRACE and CONNECT)  
>> could be
>> introduced which would require immediate patching to browsers.
>
> Are you sure it's possible to introduce new methods that have similar
> problems to TRACE and CONNECT?
>
> New methods must be compatible with existing deployed proxies, which
> means they have to be end-to-end don't they?  And isn't the security
> of end-to-end requests a matter between the client and server
> applications?

Exactly. New HTTP methods have to be backwards-compatible (i.e.,  
proxies have to be able to just pass them through like POST), unless  
you rev the *major* version number of HTTP itself (see RFC2145).

Lisa posed the most relevant question, IMO; if some uses of POST (and  
GET for that matter) are good and some are bad, and likewise some  
uses of CONNECT and TRACE are good, and some are bad, is it  
consistent or even a good idea to try to regulate them at such a  
coarse level (in an API standard)?

Also, AFAICT, all of the purported security problems (which are  
*still* hazy) occur with cross-domain XHR, when the spec at hand only  
specifies single-domain XHR.


--
Mark Nottingham     http://www.mnot.net/
Received on Sunday, 11 June 2006 16:29:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:44 GMT