W3C home > Mailing lists > Public > public-webapi@w3.org > December 2007

Re: [XHR] send doesn’t explain what to do when method is GET

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 14 Dec 2007 19:39:21 +0100
Message-ID: <4762CDD9.2090605@gmx.de>
To: Jonas Sicking <jonas@sicking.cc>
CC: Stewart Brodie <stewart.brodie@antplc.com>, public-webapi@w3.org

Jonas Sicking wrote:
> Actually, once we're supporting cross site GET requests, I think we 
> there should definitely mention that the entity body of GET (and 
> probably HEAD) requests are dropped. Otherwise there is some risk that 
> there are servers out there that will do dangerous things when receiving 
> GET requests with an entity body, such as treat it as a POST.
> 
> This seems like just one more argument for explicitly stating that the 
> entity body for GET should be dropped at an XHR level.
> ...

Well, no.

If this really is a problem, then it would be reason to disallow request 
bodies for *any* method on cross-site requests.

BR, Julian
Received on Friday, 14 December 2007 18:39:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:59 GMT