W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: PROPFIND vs "simple methods", was: [CORS] HTTP error codes in preflight response

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Sep 2010 21:22:14 +0200
Message-ID: <4C9A5766.7090606@gmx.de>
To: Jonas Sicking <jonas@sicking.cc>
CC: Webapps WG <public-webapps@w3.org>
On 22.09.2010 20:25, Jonas Sicking wrote:
> ...
>> For PROPFIND (and other methods defined to be "safe"): it really doesn't
>> make sense to do a preflight OPTIONS for PROPFIND. Both are defined to be
>> safe. Both could have broken server implementations.
>
> Note that the OPTIONS request always has an empty request body. The
> PROPFIND request on the other hand can have an arbitrary body set by
> the web page author. So it is much more likely that the latter can be
> used to attack a server I would imagine.
> ...

An OPTIONS request can have an almost arbitrary long URI.

Anyway, this isn't rational anymore. PROPFIND is well understood and it 
*is* safe. If you fear to do damage with a PROPFIND request than you 
really should think twice before doing HTTP at all.

Best regards, Julian
Received on Wednesday, 22 September 2010 19:22:54 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT