- From: Jamie Lokier <jamie@shareable.org>
- Date: Sun, 11 Jun 2006 05:06:06 +0100
- To: Lisa Dusseault <lisa@osafoundation.org>
- Cc: Mark Baker <distobj@acm.org>, HTTP Working Group <ietf-http-wg@w3.org>
Jamie Lokier wrote: > Therefore to prevent subversion of HTTP message boundaries, > XMLHttpRequest should prevent: > > - The CONNECT method > - Setting the Upgrade header > > I don't see any reason to disallow any other request methods. Come to think of it, what about TRACE? Google for TRACE and XMLHTTP. The top results reveal some cross-site scripting vulnerabilities whereby a script can deduce cookie values that it shouldn't by using TRACE with Microsoft's equivalent to XMLHttpRequest. However Googling for TRACE and XMLHttpRequest, the top results reveal that TRACE is usefully used. -- Jamie
Received on Sunday, 11 June 2006 04:21:36 UTC