Re: PROPFIND vs "simple methods", was: [CORS] HTTP error codes in preflight response from Jonas Sicking on 2010-09-22 (public-webapps@w3.org from July to September 2010)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 22 Sep 2010 12:20:09 -0700
To: Anne van Kesteren <annevk@opera.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, Webapps WG <public-webapps@w3.org>
Message-ID: <AANLkTimb8P-TmKikOaS5iH8R5RYgya6zfAEnqH9y9ZFb@mail.gmail.com>

On Wed, Sep 22, 2010 at 12:16 PM, Anne van Kesteren <annevk@opera.com> wrote:
> On Wed, 22 Sep 2010 20:19:08 +0200, Julian Reschke <julian.reschke@gmx.de>
> wrote:
>>
>> For PROPFIND (and other methods defined to be "safe"): it really doesn't
>> make sense to do a preflight OPTIONS for PROPFIND. Both are defined to be
>> safe. Both could have broken server implementations.
>
> We don't want to keep updating the "safe" list. So they're all "unsafe". Or
> maybe not "unsafe", just not compatible with HTML forms.

What we're really concerned about here is the HTML/SVG/web/whathaveyou
same-origin security model that browsers implement and servers
generally rely on. This model only allows cross-origin requests that
use get/head/post-with-some-content-types. So that might be the term
to use here.

/ Jonas

Received on Wednesday, 22 September 2010 20:27:59 UTC