Origin header for safe methods other than GET/HEAD, was: The HTTP Origin Header (draft-abarth-origin) from Julian Reschke on 2009-01-23 (ietf-http-wg@w3.org from January to March 2009)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 23 Jan 2009 09:30:49 +0100
To: Larry Masinter <LMM@acm.org>
CC: 'Mark Nottingham' <mnot@mnot.net>, ietf-http-wg@w3.org, 'Lisa Dusseault' <ldusseault@commerce.net>
Message-ID: <49798039.90201@gmx.de>

Hi,

looking at <http://tools.ietf.org/html/draft-abarth-origin-00#section-5>:

    Whenever a user agent issues an HTTP request whose method is neither
    "GET" nor "HEAD", the user agent MUST include exactly one HTTP header
    named "Origin".

What about other safe methods, such as PROPFIND, REPORT or SEARCH? 
Shouldn't the spec just say:

    Whenever a user agent issues an HTTP request whose method is not
    known to be safe (see ...), the user agent MUST include exactly
    one HTTP header named "Origin".

?

BR, Julian (always nervous when definitions refer to a certain set of 
named methods)

Received on Friday, 23 January 2009 08:46:43 UTC