- From: Jamie Lokier <jamie@shareable.org>
- Date: Thu, 9 Aug 2007 14:25:16 +0100
- To: Adrien de Croy <adrien@qbik.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Adrien de Croy wrote: > >In general, I think all methods should be allowed unless proven to be > >a security problem. > > > I think there's a compelling argument to be made for denying all methods > unless proven (or at least strongly believed) to be safe. > > Waiting for something to be proven unsafe isn't safe. If I were MS, I > would definitely adopt the more cautious approach. And yet, I imagine all products allow POST, and with POST you can do anything at all over HTTP, if the client and server wish. Indeed, there are a few implementations which do tunnel arbitrary protocols over POST, to get around restrictions. I can imagine myself coding a client which, when it detects that NEWMETHOD (or whatever) isn't working, it falls back to tunnelling the equivalent over POST, provided the server will understand it. (Much like the cascade of methods we currently try in sequence to make certain web apps work everywhere.) Why is that allowed? It's not meant to be a provocative question, but hoping for some thought as to why POST to a server is ok, but some arbitrary new method is not. -- Jamie
Received on Thursday, 9 August 2007 13:25:30 UTC