- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 22 Sep 2010 21:22:14 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Webapps WG <public-webapps@w3.org>
On 22.09.2010 20:25, Jonas Sicking wrote: > ... >> For PROPFIND (and other methods defined to be "safe"): it really doesn't >> make sense to do a preflight OPTIONS for PROPFIND. Both are defined to be >> safe. Both could have broken server implementations. > > Note that the OPTIONS request always has an empty request body. The > PROPFIND request on the other hand can have an arbitrary body set by > the web page author. So it is much more likely that the latter can be > used to attack a server I would imagine. > ... An OPTIONS request can have an almost arbitrary long URI. Anyway, this isn't rational anymore. PROPFIND is well understood and it *is* safe. If you fear to do damage with a PROPFIND request than you really should think twice before doing HTTP at all. Best regards, Julian
Received on Wednesday, 22 September 2010 19:22:54 UTC