- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 14 Dec 2007 19:39:21 +0100
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Stewart Brodie <stewart.brodie@antplc.com>, public-webapi@w3.org
Jonas Sicking wrote: > Actually, once we're supporting cross site GET requests, I think we > there should definitely mention that the entity body of GET (and > probably HEAD) requests are dropped. Otherwise there is some risk that > there are servers out there that will do dangerous things when receiving > GET requests with an entity body, such as treat it as a POST. > > This seems like just one more argument for explicitly stating that the > entity body for GET should be dropped at an XHR level. > ... Well, no. If this really is a problem, then it would be reason to disallow request bodies for *any* method on cross-site requests. BR, Julian
Received on Friday, 14 December 2007 18:39:36 UTC