W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2006

Re: Extension methods & XMLHttpRequest

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Mon, 12 Jun 2006 11:12:30 +0200
Message-Id: <E6B4954B-1FF8-4452-B9DE-10BDC1A19A84@greenbytes.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
To: Julian Reschke <julian.reschke@gmx.de>


Am 12.06.2006 um 10:47 schrieb Julian Reschke:

> Stefan Eissing schrieb:
>> ...
>> What I mean is that XHR would have the following behavior:
>> - Implement a "whitelist" of methods and uses which are known to  
>> be "safe"
>> - For all methods outside of this, let XHR ask the server if it  
>> ok. For example, let XHR send an OPTION request and look for an  
>> XHR-Allow header, listing the methods allowed to XHR. (or  
>> whatever, the key is that the server is in control)
>> Seems to me that this approach puts server application developers  
>> in the driver seat and lets browser developers stay safe by  
>> default, no matter what future http will bring.
>
> Can you give an example where a server that implements method X  
> would return it in the "Allow" header, but not in the "XHR-Allow"  
> header?

Sure. A server allowing POST for ordering you a book, but not  
allowing it from XHR requests from pages coming from a different site.

The last part is the key, of course. I am assuming that methods  
against the originating server of a page are always allowed and that  
we are talking about securing requests to other servers and methods  
used in them. Please correct me, if I got this wrong.

//Stefan
Received on Monday, 12 June 2006 09:12:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:44 GMT