Extension HTTP methods from Pete Kirkham on 2006-04-15 (public-webapi@w3.org from April 2006)

From: Pete Kirkham <mach.elf@gmail.com>
Date: Sat, 15 Apr 2006 11:31:43 +0100
To: public-webapi@w3.org
Message-ID: <f9d9d39b0604150331x10cd10ddj6b2a1ab87985fdc@mail.gmail.com>

I have worked with XMLHttpRequest (and also the Java http libraries)
and found it annoying that only a few of the WebDav and DeltaV methods
are supported. Often I've had to hack it with a server script to
tunnel the requests so that I end up with POST
http://example.com/my-stuff?method=MKACTIVITY rather than MKACTIVITIY
http://example.com/my-stuff so that I can use a repository from a
browser based application.

Assuming that generic methods are supported by whitelists or some
other XSS protection, is there a reason why there needs to be a
restriction on the available methods? POST is often used for
destructive or billing operations, and a sensible restriction on the
method name (say 32 character limit of <any CHAR except CTLs or
separators> to prevent overrun attacks) rather than a restrive list.


Pete

Received on Monday, 17 April 2006 15:10:32 UTC