- From: Mark Nottingham <mnot@mnot.net>
- Date: Sun, 11 Jun 2006 09:29:55 -0700
- To: Jamie Lokier <jamie@shareable.org>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 2006/06/11, at 5:27 AM, Jamie Lokier wrote: >> The problem is that new methods (similar to TRACE and CONNECT) >> could be >> introduced which would require immediate patching to browsers. > > Are you sure it's possible to introduce new methods that have similar > problems to TRACE and CONNECT? > > New methods must be compatible with existing deployed proxies, which > means they have to be end-to-end don't they? And isn't the security > of end-to-end requests a matter between the client and server > applications? Exactly. New HTTP methods have to be backwards-compatible (i.e., proxies have to be able to just pass them through like POST), unless you rev the *major* version number of HTTP itself (see RFC2145). Lisa posed the most relevant question, IMO; if some uses of POST (and GET for that matter) are good and some are bad, and likewise some uses of CONNECT and TRACE are good, and some are bad, is it consistent or even a good idea to try to regulate them at such a coarse level (in an API standard)? Also, AFAICT, all of the purported security problems (which are *still* hazy) occur with cross-domain XHR, when the spec at hand only specifies single-domain XHR. -- Mark Nottingham http://www.mnot.net/
Received on Sunday, 11 June 2006 16:29:53 UTC