W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: New issue: Need for an HTTP request method registry

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 07 Aug 2007 23:45:32 +0200
Message-ID: <46B8E7FC.8070102@gmx.de>
To: Eric Lawrence <ericlaw@exchange.microsoft.com>
CC: Henrik Nordstrom <henrik@henriknordstrom.net>, HTTP Working Group <ietf-http-wg@w3.org>

Eric Lawrence wrote:
> I very much support and look forward to creation of a registry for HTTP methods.
> As for the notion that Microsoft allow-lists HTTP methods and "forgot" some, I assume you're referring to the list of supported methods for XMLHTTPRequest?  If that's the case, it's important to note that not all methods should be considered safe for ~script~ to use.  Hence, for security reasons, there's a restriction as to what methods may be used by XMLHTTPRequest.
> If there's a specific method currently not permitted by XMLHTTPRequest which you believe should be, please let me know.
> Thanks,

Hi Eric,

see thread at 

In general, I think all methods should be allowed unless proven to be a 
security problem.

If you really insist on a white list, please allow minimally the methods 
defined in:

RFC3253, RFC3648, RFC3744, RFC4437, RFC4791, RFC4918, 
and <http://greenbytes.de/tech/webdav/draft-dusseault-http-patch-08.html>.

Best regards, Julian
Received on Tuesday, 7 August 2007 21:45:58 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:24 UTC