Blindly standardising what one vendor does doesn't make sense; do you know *why* they consider it a security feature? The reputed security problems with various HTTP methods have been brought up many times, but I have yet to see an explanation of how they actually cause a security issue greater than supporting POST does. Cheers, On 2006/06/07, at 2:38 PM, Hallvord R. M. Steen wrote: > On Wed, 31 May 2006 18:59:54 +0200, Julian Reschke > <julian.reschke@gmx.de> wrote: > >> first of all, I checked current implementations, using the verbs >> GET (RFC2616), PROPFIND (RFC2518), REPORT (RFC3253) and FOOBAR >> (undefined). >> Group A: >> >> IE6 (MSXML): pass (all methods sent as-is) >> Firefox 1.5: pass >> Firefox 2.0 alpha (Bon Echo): pass >> >> Group B: >> >> IE7 beta2: passed PROPFIND, put rejects REPORT and FOOBAR with a >> runtime exception > > I have been told that this change in IE7 is very much deliberate > and considered a security feature. We should standardise this. > > -- > Hallvord R. M. Steen > Core QA JavaScript tester, Opera Software > http://www.opera.com/ > Opera - simply the best Internet experience > > -- Mark Nottingham mnot@yahoo-inc.comReceived on Wednesday, 7 June 2006 21:46:47 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT