- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 20 Feb 2008 16:34:16 +0100
- To: "Mark Baker" <distobj@acm.org>
- Cc: "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
On Wed, 20 Feb 2008 15:15:39 +0100, Mark Baker <distobj@acm.org> wrote: > Your premise seems to be that in the future, the community might rally > around and widely deploy, brain-dead extensions which attempt to > violate the fundamental semantics of HTTP, in this case the safety of > GET messages. IMO, that's not a realistic concern. I'm not talking about communities, or braind-dead extensions. I'm talking about the theoretical possibility that this might already be deployed on some servers around the world (or something of equivalent nature) and that therefore allowing such cross-domain GET requests with custom headers introduces a new attack vector. And introducing a new attack vector is something we should avoid, regardless of whether being vulnerable to that attack vector relies on violating the fundamental semantics of HTTP. (Amazon already has a service that works entirely on HTTP GET: http://docs.amazonwebservices.com/AmazonSimpleDB/2007-11-07/DeveloperGuide/MakingRESTRequests.html Now you don't need custom headers there, but it's not too much of a stretch to assume that someone else has a service deployed that does.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 20 February 2008 15:30:13 UTC