- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 8 Jun 2006 23:07:30 +0000 (UTC)
- To: Charles McCathieNevile <chaals@opera.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, Mark Nottingham <mnot@yahoo-inc.com>, "Web APIs WG (public)" <public-webapi@w3.org>
On Thu, 8 Jun 2006, Charles McCathieNevile wrote: > > > > Please be more specific. POST today allows *anything*. > > Well, POST allows you to send anything. DELETE and PUT actually have > semantics that make them much more dangerous (and much more useful, if > you're building very simple publishing systems). Just to be clear: from a security standpoint, none of those are a problem. They all just affect the target host. There are FAR more dangerous methods, for example CONNECT. The risk is not that the first-party server might be attacked, since the first-party server is the only server we _don't_ care about attacking. The risks are for things _other_ than the first-party server. For example, a proxy server. One example of a risk would be a proxy server between the user and the third-party host having a bug with long method names. Or having a bug with certain non-standard method names. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 8 June 2006 23:10:26 UTC