- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 22 Sep 2010 11:25:26 -0700
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Webapps WG <public-webapps@w3.org>
On Wed, Sep 22, 2010 at 11:19 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 22.09.2010 20:05, Jonas Sicking wrote: >> >> ... >> For what it's worth, I think "simple" is meant as "Must be handled by >> servers today as HTML implementations can already send this request >> cross site". Not as the HTTP definition of "must/should not have side >> effects". >> ... > > Yes. That's why I think it needs just rephrasing. > >> That said, I don't feel strongly either way of if PROPFIND should be >> preflighted or not. But we would definitely have to ask "are you sure >> that servers follow the spec and don't have side effects". I'll note >> that it's well known that GET requests often have side effects despite >> http saying they shouldn't. > > Understood. > > For GET I'm tempted to say: anybody who still hasn't learned about it > deserves breakage. > > For PROPFIND (and other methods defined to be "safe"): it really doesn't > make sense to do a preflight OPTIONS for PROPFIND. Both are defined to be > safe. Both could have broken server implementations. Note that the OPTIONS request always has an empty request body. The PROPFIND request on the other hand can have an arbitrary body set by the web page author. So it is much more likely that the latter can be used to attack a server I would imagine. / Jonas
Received on Wednesday, 22 September 2010 18:26:23 UTC