W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: Extension HTTP methods

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 12 Jun 2006 11:51:23 +0200
Message-ID: <448D391B.4080804@gmx.de>
To: "Hallvord R. M. Steen" <hallvord@opera.com>
CC: Mark Nottingham <mnot@yahoo-inc.com>, Mark Baker <distobj@acm.org>, Anne van Kesteren <annevk@opera.com>, Pete Kirkham <mach.elf@gmail.com>, "Web APIs WG (public)" <public-webapi@w3.org>

Hallvord R. M. Steen schrieb:
> On Fri, 09 Jun 2006 13:21:00 +0200, Hallvord R. M. Steen 
> <hallvord@opera.com> wrote:
> 
>>>>> Blindly standardising what one vendor does doesn't make sense;
>>>>  We can certainly assume they have thought long and hard about a 
>>>> change that WILL break existing content.
>>>
>>> It would be really great if we could work based on facts instead of 
>>> hearsay.
>>
>> Yes, but I can't quote people verbatim on a public mailing list 
>> without their permission.
>> I will ask the MS developer and our senior HTTPS/networking dev if 
>> they can give me an explanation I can pass on, or even respond in this 
>> thread.

Thanks for finding out...

> Here is the response:
> 
> 
> The problem is that there's no way we can guarantee correct behavior for 
> new HTTP verbs whose semantics are not yet defined.  For instance, 
> should a given method be idempotent?  Are its results eligible to be 
> cached?  Etc.

If the method is unknown, you don't know. Make it configurable or choose 
a safe default (that is, response not cacheable, method not safe, method 
not idempotent).

The current IE7 implementation rejects REPORT. This method is safe as 
per a 4 year old standards track RFC. So I'll assume that is a bug in IE7?

> One of the security issues from allowing arbitrary verbs was reported a 
> few years ago.  The "TRACE" verb can be used to circumvent the HTTPONLY 
> cookie directive.  
> http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf.  While 
> the threat was overhyped (and can be fixed by disabling TRACE on the 
> server) the concern about permitting verbs with unknown 
> side-effects/combinatorial-effects remains.

How would an unknown method by more dangerous than POST?

Best regards, Julian
Received on Monday, 12 June 2006 09:51:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT