- From: Joe Gregorio <joe.gregorio@gmail.com>
- Date: Sat, 10 Jun 2006 22:48:29 -0400
- To: "Mark Baker" <distobj@acm.org>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
On 6/10/06, Mark Baker <distobj@acm.org> wrote: > > Folks, > > The W3C WebAPIs WG is attempting to standardize the XMLHttpRequest > Javascript object[1], and part of that work involves deciding how to > handle extension HTTP methods. > > Some of the WG is interested in establishing a "whitelist" of methods > deemed safe at the time of publication of our spec, with the intent > that all other methods would be disallowed. The 'white list' approach is similar to the approach taken by HTML forms which allows only GET and POST and which has been disastrous, impeding progress on full usage of HTTP and hobbling other specs that came later that tried to use methods beyond GET and POST such as WebDAV. Please don't use a white-list. > Others would prefer a > "blacklist", whereby we specify that methods known to be a security > problem (in the context of the use of XHR, e.g. CONNECT) not be used, > but that unknown methods be allowed. That would be a much better approach, and easier to explain, since it matches the 'blacklist' approach taken by the XMLHttpRequest specification with respect to HTTP headers. -joe -- Joe Gregorio http://bitworking.org
Received on Sunday, 11 June 2006 02:48:38 UTC