W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: Extension HTTP methods

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 7 Jun 2006 23:41:39 +0000 (UTC)
To: Mark Nottingham <mnot@yahoo-inc.com>
Cc: "Web APIs WG (public)" <public-webapi@w3.org>
Message-ID: <Pine.LNX.4.62.0606072340110.10674@dhalsim.dreamhost.com>

On Wed, 7 Jun 2006, Mark Nottingham wrote:
> 
> Blindly standardising what one vendor does doesn't make sense; do you 
> know *why* they consider it a security feature?
>
> The reputed security problems with various HTTP methods have been 
> brought up many times, but I have yet to see an explanation of how they 
> actually cause a security issue greater than supporting POST does.

Beyond curiosity, does it matter why? There's no point us publishing a 
spec that contradicts Microsoft's implementation if Microsoft's 
implementation is not going to change (which it isn't, if the reason for 
it being the way it is is Security).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 7 June 2006 23:41:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT