W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: New issue: Need for an HTTP request method registry

From: Jamie Lokier <jamie@shareable.org>
Date: Thu, 9 Aug 2007 14:25:16 +0100
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20070809132516.GF25240@mail.shareable.org>

Adrien de Croy wrote:
> >In general, I think all methods should be allowed unless proven to be 
> >a security problem.
> >
> I think there's a compelling argument to be made for denying all methods
> unless proven (or at least strongly believed) to be safe.
> 
> Waiting for something to be proven unsafe isn't safe.  If I were MS, I
> would definitely adopt the more cautious approach.

And yet, I imagine all products allow POST, and with POST you can do
anything at all over HTTP, if the client and server wish.

Indeed, there are a few implementations which do tunnel arbitrary
protocols over POST, to get around restrictions.  I can imagine myself
coding a client which, when it detects that NEWMETHOD (or whatever)
isn't working, it falls back to tunnelling the equivalent over POST,
provided the server will understand it.  (Much like the cascade of
methods we currently try in sequence to make certain web apps work
everywhere.)

Why is that allowed?  It's not meant to be a provocative question, but
hoping for some thought as to why POST to a server is ok, but some
arbitrary new method is not.

-- Jamie
Received on Thursday, 9 August 2007 13:25:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT