- From: Jim Ley <jim@jibbering.com>
- Date: Sun, 14 May 2006 12:59:34 +0100
- To: "Web APIs WG \(public\)" <public-webapi@w3.org>
"Anne van Kesteren" <annevk@opera.com> > Currently some browsers have a whitelist and others have a blacklist and > the group has resolved to go for a whitelist containing all safe methods > that currently exist, unless the IETF comes up with good reasons not to. I disagree with this decision, I do not want any methods to be disallowed generally, if user agents choose to disable some specific ones for security reasons then that is fine (I'm happy for them to choose to disable POST for security reasons if they have security reasons even, security reasons trump anything) but to hobble the object to prevent using future HTTP based mechanisms is unhelpful, and not warranted. > There are currently some methods that can't be allowed for security > reasons and because such method smay be introduced in the future as well > allowing arbitrary method names does not seem like a good idea. I think you need to list these methods that cannot be used for security reasons, to explain more of the motivations for this decision. It also appears to be a direct reversal of the decision at the previous f2f (issue 74) It would be good to see what had changed in between to motivate the change, as there was no public discussion, other than more support for having any verb. Cheers, Jim.
Received on Sunday, 14 May 2006 11:59:52 UTC