W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [CORS] HTTP error codes in preflight response

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 23 Sep 2010 08:40:14 -0700
Message-ID: <AANLkTimbJvMp=P0NqrDhGCbXPWek84qm-9PJvS0SQved@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Webapps WG <public-webapps@w3.org>
On Thu, Sep 23, 2010 at 2:17 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> Also, somewhere else it was pointed out that OPTIONS differs from PROPFIND
> in that PROPFIND can have a body. So can OPTIONS (see, for instance,
> <http://greenbytes.de/tech/webdav/rfc3253.html#rfc.section.6.4>).

I was saying that the OPTIONS requests which are sent by CORS
implementations preflight requests, and thus can be sent to any
server, never have a request body. They are thus very limited in their
ability to hack a server. The fact that other specs use OPTIONS in
other ways does not change this.

/ Jonas
Received on Thursday, 23 September 2010 15:41:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT