- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 17 Dec 2007 17:43:37 -0800
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: Anne van Kesteren <annevk@opera.com>, Maciej Stachowiak <mjs@apple.com>, Mark Baker <distobj@acm.org>, Boris Zbarsky <bzbarsky@mit.edu>, Bjoern Hoehrmann <derhoermi@gmx.net>, public-webapi@w3.org
Julian Reschke wrote: > > Jonas Sicking wrote: >>> Disagreed. Please do not try to standardize HTTP APIs that profile >>> what HTTP allows. >> >> XHR already disallows a lot of things that HTTP allows. Setting >> certain headers, cross site requests, etc. Why is this different? > > XHR should only disallow things when there's a good reason to do so, > that is, when the fact that XHR requests can be invoked by client-side > script in HTML pages affects the security picture. > > I don't see what that would have to do with GET bodies. Interoperability is IMHO a pretty good reason. I can't say I care super much, but I still don't see any value in allowing bodies with GET requests. But I do think that the spec does need to say something. Staying silent and hoping that people won't depend on unspecified things is a tried and failed method. / Jonas
Received on Tuesday, 18 December 2007 01:43:13 UTC