W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: Extension HTTP methods

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Wed, 7 Jun 2006 14:46:09 -0700
Message-Id: <28BA05E9-D20F-435A-9871-1702F279943C@yahoo-inc.com>
Cc: "Julian Reschke" <julian.reschke@gmx.de>, "Mark Baker" <distobj@acm.org>, "Anne van Kesteren" <annevk@opera.com>, "Pete Kirkham" <mach.elf@gmail.com>, "Web APIs WG (public)" <public-webapi@w3.org>
To: "Hallvord R. M. Steen" <hallvord@opera.com>

Blindly standardising what one vendor does doesn't make sense; do you  
know *why* they consider it a security feature?

The reputed security problems with various HTTP methods have been  
brought up many times, but I have yet to see an explanation of how  
they actually cause a security issue greater than supporting POST does.

Cheers,


On 2006/06/07, at 2:38 PM, Hallvord R. M. Steen wrote:

> On Wed, 31 May 2006 18:59:54 +0200, Julian Reschke  
> <julian.reschke@gmx.de> wrote:
>
>> first of all, I checked current implementations, using the verbs  
>> GET (RFC2616), PROPFIND (RFC2518), REPORT (RFC3253) and FOOBAR  
>> (undefined).
>> Group A:
>>
>> IE6 (MSXML): pass (all methods sent as-is)
>> Firefox 1.5: pass
>> Firefox 2.0 alpha (Bon Echo): pass
>>
>> Group B:
>>
>> IE7 beta2: passed PROPFIND, put rejects REPORT and FOOBAR with a  
>> runtime exception
>
> I have been told that this change in IE7 is very much deliberate  
> and considered a security feature. We should standardise this.
>
> -- 
> Hallvord R. M. Steen
> Core QA JavaScript tester, Opera Software
> http://www.opera.com/
> Opera - simply the best Internet experience
>
>

--
Mark Nottingham
mnot@yahoo-inc.com
Received on Wednesday, 7 June 2006 21:46:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT