- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 23 Sep 2010 08:40:14 -0700
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Webapps WG <public-webapps@w3.org>
On Thu, Sep 23, 2010 at 2:17 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > Also, somewhere else it was pointed out that OPTIONS differs from PROPFIND > in that PROPFIND can have a body. So can OPTIONS (see, for instance, > <http://greenbytes.de/tech/webdav/rfc3253.html#rfc.section.6.4>). I was saying that the OPTIONS requests which are sent by CORS implementations preflight requests, and thus can be sent to any server, never have a request body. They are thus very limited in their ability to hack a server. The fact that other specs use OPTIONS in other ways does not change this. / Jonas
Received on Thursday, 23 September 2010 15:41:09 UTC