W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: Extension HTTP methods

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 09 Jun 2006 09:43:05 +0200
Message-ID: <44892689.1000509@gmx.de>
To: Ian Hickson <ian@hixie.ch>
CC: Charles McCathieNevile <chaals@opera.com>, Mark Nottingham <mnot@yahoo-inc.com>, "Web APIs WG (public)" <public-webapi@w3.org>

Ian Hickson schrieb:
> On Thu, 8 Jun 2006, Charles McCathieNevile wrote:
>>> Please be more specific. POST today allows *anything*.
>> Well, POST allows you to send anything. DELETE and PUT actually have 
>> semantics that make them much more dangerous (and much more useful, if 
>> you're building very simple publishing systems).
> 
> Just to be clear: from a security standpoint, none of those are a problem. 
> They all just affect the target host. There are FAR more dangerous 
> methods, for example CONNECT. The risk is not that the first-party server 
> might be attacked, since the first-party server is the only server we 
> _don't_ care about attacking. The risks are for things _other_ than the 
> first-party server. For example, a proxy server.
> ...

Speaking of which, if this is a security problem: why hasn't it been 
fixed in Firefox 1.5 and/or IE 6SP2? Both seem to happily send CONNECT 
requests when asked for.

Best regards, Julian
Received on Friday, 9 June 2006 07:43:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT