Re: PROPFIND vs "simple methods", was: [CORS] HTTP error codes in preflight response

On Wed, Sep 22, 2010 at 11:19 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 22.09.2010 20:05, Jonas Sicking wrote:
>>
>> ...
>> For what it's worth, I think "simple" is meant as "Must be handled by
>> servers today as HTML implementations can already send this request
>> cross site". Not as the HTTP definition of "must/should not have side
>> effects".
>> ...
>
> Yes. That's why I think it needs just rephrasing.
>
>> That said, I don't feel strongly either way of if PROPFIND should be
>> preflighted or not. But we would definitely have to ask "are you sure
>> that servers follow the spec and don't have side effects". I'll note
>> that it's well known that GET requests often have side effects despite
>> http saying they shouldn't.
>
> Understood.
>
> For GET I'm tempted to say: anybody who still hasn't learned about it
> deserves breakage.
>
> For PROPFIND (and other methods defined to be "safe"): it really doesn't
> make sense to do a preflight OPTIONS for PROPFIND. Both are defined to be
> safe. Both could have broken server implementations.

Note that the OPTIONS request always has an empty request body. The
PROPFIND request on the other hand can have an arbitrary body set by
the web page author. So it is much more likely that the latter can be
used to attack a server I would imagine.

/ Jonas

Received on Wednesday, 22 September 2010 18:26:23 UTC