- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Wed, 7 Jun 2006 14:46:09 -0700
- To: "Hallvord R. M. Steen" <hallvord@opera.com>
- Cc: "Julian Reschke" <julian.reschke@gmx.de>, "Mark Baker" <distobj@acm.org>, "Anne van Kesteren" <annevk@opera.com>, "Pete Kirkham" <mach.elf@gmail.com>, "Web APIs WG (public)" <public-webapi@w3.org>
Blindly standardising what one vendor does doesn't make sense; do you know *why* they consider it a security feature? The reputed security problems with various HTTP methods have been brought up many times, but I have yet to see an explanation of how they actually cause a security issue greater than supporting POST does. Cheers, On 2006/06/07, at 2:38 PM, Hallvord R. M. Steen wrote: > On Wed, 31 May 2006 18:59:54 +0200, Julian Reschke > <julian.reschke@gmx.de> wrote: > >> first of all, I checked current implementations, using the verbs >> GET (RFC2616), PROPFIND (RFC2518), REPORT (RFC3253) and FOOBAR >> (undefined). >> Group A: >> >> IE6 (MSXML): pass (all methods sent as-is) >> Firefox 1.5: pass >> Firefox 2.0 alpha (Bon Echo): pass >> >> Group B: >> >> IE7 beta2: passed PROPFIND, put rejects REPORT and FOOBAR with a >> runtime exception > > I have been told that this change in IE7 is very much deliberate > and considered a security feature. We should standardise this. > > -- > Hallvord R. M. Steen > Core QA JavaScript tester, Opera Software > http://www.opera.com/ > Opera - simply the best Internet experience > > -- Mark Nottingham mnot@yahoo-inc.com
Received on Wednesday, 7 June 2006 21:46:47 UTC