- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 07 Aug 2007 23:45:32 +0200
- To: Eric Lawrence <ericlaw@exchange.microsoft.com>
- CC: Henrik Nordstrom <henrik@henriknordstrom.net>, HTTP Working Group <ietf-http-wg@w3.org>
Eric Lawrence wrote: > I very much support and look forward to creation of a registry for HTTP methods. > > As for the notion that Microsoft allow-lists HTTP methods and "forgot" some, I assume you're referring to the list of supported methods for XMLHTTPRequest? If that's the case, it's important to note that not all methods should be considered safe for ~script~ to use. Hence, for security reasons, there's a restriction as to what methods may be used by XMLHTTPRequest. > > If there's a specific method currently not permitted by XMLHTTPRequest which you believe should be, please let me know. > > Thanks, Hi Eric, see thread at <http://lists.w3.org/Archives/Public/public-webapi/2007Feb/thread.html#msg109>. In general, I think all methods should be allowed unless proven to be a security problem. If you really insist on a white list, please allow minimally the methods defined in: RFC3253, RFC3648, RFC3744, RFC4437, RFC4791, RFC4918, <http://greenbytes.de/tech/webdav/draft-reschke-webdav-search-latest.html>, <http://greenbytes.de/tech/webdav/draft-ietf-webdav-bind-latest.html> and <http://greenbytes.de/tech/webdav/draft-dusseault-http-patch-08.html>. Best regards, Julian
Received on Tuesday, 7 August 2007 21:45:58 UTC