W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

RE: XHR LC comments

From: Sunava Dutta <sunavad@windows.microsoft.com>
Date: Tue, 6 May 2008 11:34:20 -0700
To: Julian Reschke <julian.reschke@gmx.de>
CC: "public-webapi@w3.org" <public-webapi@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-ID: <083D18C6B9B71F4CBCA7B76D97B7483102C85D91DC@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>

Ahh, I see my mail client can do that. I just need to make a few changes. Having a standardized guidance here would be very helpful -:p.


-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de]
Sent: Tuesday, May 06, 2008 12:34 AM
To: Sunava Dutta
Cc: public-webapi@w3.org; IE8 Core AJAX SWAT Team
Subject: Re: XHR LC comments

Sunava,

it would be helpful if you'd use a mail client that can properly quote
:-) In your mail your text appears as if it was indirectly quoted by
myself... I have reformatted your reply so it becomes clear again who
said what.

Sunava Dutta wrote:
>> Julian Reschke wrote:
>> c)
>> "- TRACK??? There's probably a rational for that. If there is, please
>> include it in the spec."
>
>TRACK is unsafe and should be removed. I remember reading about this awhile back. Here's something I found on the web: http://www.aqtronix.com/Advisories/AQ-2003-02.txt

That implies that Microsoft closed the vulnerability with IIS 6.0, so
I'm not entirely sure why a spec in last call in 2008 needs to speak
about it.

There are surely other old servers that have other vulnerabilities that
could be exploited using XHR, should we consider all of these?

That being said, I'm ok with *mentioning* the issue somewhere, but just
enumerating TRACK along with TRACE, as if this was a standard HTTP
method, is *highly* confusing.

 > ...

BR, Julian
Received on Tuesday, 6 May 2008 18:35:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 6 May 2008 18:35:09 GMT