W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: PROPFIND vs "simple methods", was: [CORS] HTTP error codes in preflight response

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Sep 2010 21:31:09 +0200
Message-ID: <4C9A597D.8010605@gmx.de>
To: Anne van Kesteren <annevk@opera.com>
CC: Jonas Sicking <jonas@sicking.cc>, Webapps WG <public-webapps@w3.org>
On 22.09.2010 21:26, Anne van Kesteren wrote:
> On Wed, 22 Sep 2010 21:20:09 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> On Wed, Sep 22, 2010 at 12:16 PM, Anne van Kesteren <annevk@opera.com>
>> wrote:
>>> We don't want to keep updating the "safe" list. So they're all
>>> "unsafe". Or
>>> maybe not "unsafe", just not compatible with HTML forms.
>> What we're really concerned about here is the HTML/SVG/web/whathaveyou
>> same-origin security model that browsers implement and servers
>> generally rely on. This model only allows cross-origin requests that
>> use get/head/post-with-some-content-types. So that might be the term
>> to use here.
> What term?
> "simple methods" is by the way just an indication of whether they follow
> the "simple cross-origin request" set of steps. "simple" has nothing to
> do with "safe". They are distinct terms.


CORS, 6.1.5.:

"To protect resources against cross-origin access with methods that have 
side effects an preflight request is made to ensure that the resource is 
ok with the request."

This is misleading IMHO.

Best regards, Julian
Received on Wednesday, 22 September 2010 20:31:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:11 UTC