W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2006

Re: Extension methods & XMLHttpRequest

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Mon, 12 Jun 2006 12:12:26 +0200
Message-Id: <18125A64-3231-4076-8D4B-20061652A8FE@greenbytes.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
To: "Anne van Kesteren" <annevk@opera.com>


Am 12.06.2006 um 11:42 schrieb Anne van Kesteren:

>
> On Mon, 12 Jun 2006 11:12:30 +0200, Stefan Eissing  
> <stefan.eissing@greenbytes.de> wrote:
>> The last part is the key, of course. I am assuming that methods  
>> against the originating server of a page are always allowed and  
>> that we are talking about securing requests to other servers and  
>> methods used in them. Please correct me, if I got this wrong.
>
> You got this wrong. The discussion here is about (the first version  
> of) XMLHttpRequest which will only allow same-origin requests.

Thanks for the correction. Well, in that case I agree with Roys  
comment that instead of restricting methods it is superior to  
restrict the (manipulation of) information send to the server. So,  
basically a whitelist of settable/sent headers with some name prefix  
("x-"?) left open for individual applications/experimentation.

//Stefan
Received on Monday, 12 June 2006 10:12:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:44 GMT