W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: Extension HTTP methods

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 8 Jun 2006 23:07:30 +0000 (UTC)
To: Charles McCathieNevile <chaals@opera.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, Mark Nottingham <mnot@yahoo-inc.com>, "Web APIs WG (public)" <public-webapi@w3.org>
Message-ID: <Pine.LNX.4.62.0606082303090.10282@dhalsim.dreamhost.com>

On Thu, 8 Jun 2006, Charles McCathieNevile wrote:
> > 
> > Please be more specific. POST today allows *anything*.
> 
> Well, POST allows you to send anything. DELETE and PUT actually have 
> semantics that make them much more dangerous (and much more useful, if 
> you're building very simple publishing systems).

Just to be clear: from a security standpoint, none of those are a problem. 
They all just affect the target host. There are FAR more dangerous 
methods, for example CONNECT. The risk is not that the first-party server 
might be attacked, since the first-party server is the only server we 
_don't_ care about attacking. The risks are for things _other_ than the 
first-party server. For example, a proxy server.

One example of a risk would be a proxy server between the user and the 
third-party host having a bug with long method names. Or having a bug with 
certain non-standard method names.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 8 June 2006 23:10:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT