- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 3 Dec 2009 10:52:51 -0800
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Tyler Close <tyler.close@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On Thu, Dec 3, 2009 at 10:12 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > Adam Barth wrote: >> ... >> PUT is more dangerous than POST only because, historically, browsers >> have allowed cross-origin POST but not PUT. That means servers had to >> tollerate cross-origin POST without exploding, but they did not need >> to tolerate cross-origin PUT. Therefore, there exist servers that >> explode on a cross-origin PUT. >> ... > > Evidence? Evidence of which part? The exploding servers? Google Web Toolkit uses custom headers to protect itself from CSRF [1], which is similar. I've written a web service that used PUT to protect itself from CSRF, but that might not count. :) Adam [1] http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications
Received on Thursday, 3 December 2009 18:53:43 UTC