Re: Origin header for safe methods other than GET/HEAD, was: The HTTP Origin Header (draft-abarth-origin) from Julian Reschke on 2009-01-23 (ietf-http-wg@w3.org from January to March 2009)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 23 Jan 2009 18:35:20 +0100
To: Adam Barth <w3c@adambarth.com>
CC: Larry Masinter <LMM@acm.org>, Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Message-ID: <4979FFD8.6030501@gmx.de>

Adam Barth wrote:
> On Fri, Jan 23, 2009 at 12:30 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
>>   Whenever a user agent issues an HTTP request whose method is neither
>>   "GET" nor "HEAD", the user agent MUST include exactly one HTTP header
>>   named "Origin".
>>
>> What about other safe methods, such as PROPFIND, REPORT or SEARCH? Shouldn't
>> the spec just say:
>>
>>   Whenever a user agent issues an HTTP request whose method is not
>>   known to be safe (see ...), the user agent MUST include exactly
>>   one HTTP header named "Origin".
>>
>> ?
> 
> Good point.  What should I cite as the authoritative list of safe methods?

Just say "safe", reference RFC 2616, Section 9.1.1 for now. HTTPbis will 
introduce an IANA registry for HTTP methods, which contains the flag 
(see 
<http://tools.ietf.org/html/draft-ietf-httpbis-method-registrations-01>).

BR, Julian

Received on Friday, 23 January 2009 17:36:13 UTC