Re: Extension HTTP methods from Mark Baker on 2006-05-22 (public-webapi@w3.org from May 2006)

From: Mark Baker <distobj@acm.org>
Date: Mon, 22 May 2006 22:46:49 +0200
To: "Mark Nottingham" <mnot@yahoo-inc.com>
Cc: "Anne van Kesteren" <annevk@opera.com>, "Pete Kirkham" <mach.elf@gmail.com>, "Web APIs WG (public)" <public-webapi@w3.org>
Message-ID: <c70bc85d0605221346t8a44fccyb900f0a651a4309e@mail.gmail.com>

I think that was ACTION-145 on Gorm.

On 5/22/06, Mark Nottingham <mnot@yahoo-inc.com> wrote:
>
> That's not my recollection of where the WG ended up at the F2F; I was
> under the impression that someone was going to explain what the
> security issues are, exactly.
>
> I did have an AI to list HTTP methods, but Julian has done it for me ;)
>    http://greenbytes.de/tech/webdav/common-index.html#rfc.index.M
>
>
> On 2006/05/14, at 12:04 PM, Anne van Kesteren wrote:
>
> >
> > On Sat, 15 Apr 2006 12:31:43 +0200, Pete Kirkham
> > <mach.elf@gmail.com> wrote:
> >> I have worked with XMLHttpRequest (and also the Java http libraries)
> >> and found it annoying that only a few of the WebDav and DeltaV
> >> methods
> >> are supported. Often I've had to hack it with a server script to
> >> tunnel the requests so that I end up with POST
> >> http://example.com/my-stuff?method=MKACTIVITY rather than MKACTIVITIY
> >> http://example.com/my-stuff so that I can use a repository from a
> >> browser based application.
> >>
> >> Assuming that generic methods are supported by whitelists or some
> >> other XSS protection, is there a reason why there needs to be a
> >> restriction on the available methods? POST is often used for
> >> destructive or billing operations, and a sensible restriction on the
> >> method name (say 32 character limit of <any CHAR except CTLs or
> >> separators> to prevent overrun attacks) rather than a restrive list.
> >
> > Currently some browsers have a whitelist and others have a
> > blacklist and the group has resolved to go for a whitelist
> > containing all safe methods that currently exist, unless the IETF
> > comes up with good reasons not to. There are currently some methods
> > that can't be allowed for security reasons and because such method
> > smay be introduced in the future as well allowing arbitrary method
> > names does not seem like a good idea.
> >
> >
> > --
> > Anne van Kesteren
> > <http://annevankesteren.nl/>
> > <http://www.opera.com/>
> >
> >
> >
>
> --
> Mark Nottingham
> mnot@yahoo-inc.com
>
>
>
>
>

Received on Monday, 22 May 2006 20:46:57 UTC