I have worked with XMLHttpRequest (and also the Java http libraries) and found it annoying that only a few of the WebDav and DeltaV methods are supported. Often I've had to hack it with a server script to tunnel the requests so that I end up with POST http://example.com/my-stuff?method=MKACTIVITY rather than MKACTIVITIY http://example.com/my-stuff so that I can use a repository from a browser based application.
Assuming that generic methods are supported by whitelists or some other XSS protection, is there a reason why there needs to be a restriction on the available methods? POST is often used for destructive or billing operations, and a sensible restriction on the method name (say 32 character limit of <any CHAR except CTLs or separators> to prevent overrun attacks) rather than a restrive list. Pete