W3C home > Mailing lists > Public > public-webapi@w3.org > May 2006

Re: Extension HTTP methods

From: Jim Ley <jim@jibbering.com>
Date: Sun, 14 May 2006 12:59:34 +0100
Message-ID: <00d101c6774d$de95bc60$0302a8c0@Sniff>
To: "Web APIs WG \(public\)" <public-webapi@w3.org>

"Anne van Kesteren" <annevk@opera.com>
> Currently some browsers have a whitelist and others have a blacklist and 
> the group has resolved to go for a whitelist containing all safe methods 
> that currently exist, unless the IETF comes up with good reasons not to.

I disagree with this decision, I do not want any methods to be disallowed 
generally, if user agents choose to disable some specific ones for security 
reasons then that is fine (I'm happy for them to choose to disable POST for 
security reasons if they have security reasons even, security reasons trump 
anything)  but to hobble the object to prevent using future HTTP based 
mechanisms is unhelpful, and not warranted.

> There are currently some methods that can't be allowed for security 
> reasons and because such method smay be introduced in the future as well 
> allowing arbitrary method names does not seem like a good idea.

I think you need to list these methods that cannot be used for security 
reasons, to explain more of the motivations for this decision.  It also 
appears to be a direct reversal of the decision at the previous f2f (issue 
74)  It would be good to see what had changed in between to motivate the 
change, as there was no public discussion, other than more support for 
having any verb.

Cheers,

Jim.
Received on Sunday, 14 May 2006 11:59:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT