W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: New issue: Need for an HTTP request method registry

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 07 Aug 2007 23:45:32 +0200
Message-ID: <46B8E7FC.8070102@gmx.de>
To: Eric Lawrence <ericlaw@exchange.microsoft.com>
CC: Henrik Nordstrom <henrik@henriknordstrom.net>, HTTP Working Group <ietf-http-wg@w3.org>

Eric Lawrence wrote:
> I very much support and look forward to creation of a registry for HTTP methods.
> 
> As for the notion that Microsoft allow-lists HTTP methods and "forgot" some, I assume you're referring to the list of supported methods for XMLHTTPRequest?  If that's the case, it's important to note that not all methods should be considered safe for ~script~ to use.  Hence, for security reasons, there's a restriction as to what methods may be used by XMLHTTPRequest.
> 
> If there's a specific method currently not permitted by XMLHTTPRequest which you believe should be, please let me know.
> 
> Thanks,

Hi Eric,

see thread at 
<http://lists.w3.org/Archives/Public/public-webapi/2007Feb/thread.html#msg109>.

In general, I think all methods should be allowed unless proven to be a 
security problem.

If you really insist on a white list, please allow minimally the methods 
defined in:

RFC3253, RFC3648, RFC3744, RFC4437, RFC4791, RFC4918, 
<http://greenbytes.de/tech/webdav/draft-reschke-webdav-search-latest.html>, 
<http://greenbytes.de/tech/webdav/draft-ietf-webdav-bind-latest.html> 
and <http://greenbytes.de/tech/webdav/draft-dusseault-http-patch-08.html>.

Best regards, Julian
Received on Tuesday, 7 August 2007 21:45:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT