On Sat, 15 Apr 2006 12:31:43 +0200, Pete Kirkham <[EMAIL PROTECTED]>
wrote:
I have worked with XMLHttpRequest (and also the Java http libraries)
and found it annoying that only a few of the WebDav and DeltaV methods
are supported. Often I've had to hack it with a server script to
tunnel the requests so that I end up with POST
http://example.com/my-stuff?method=MKACTIVITY rather than MKACTIVITIY
http://example.com/my-stuff so that I can use a repository from a
browser based application.
Assuming that generic methods are supported by whitelists or some
other XSS protection, is there a reason why there needs to be a
restriction on the available methods? POST is often used for
destructive or billing operations, and a sensible restriction on the
method name (say 32 character limit of <any CHAR except CTLs or
separators> to prevent overrun attacks) rather than a restrive list.
Currently some browsers have a whitelist and others have a blacklist and
the group has resolved to go for a whitelist containing all safe methods
that currently exist, unless the IETF comes up with good reasons not to.
There are currently some methods that can't be allowed for security
reasons and because such method smay be introduced in the future as well
allowing arbitrary method names does not seem like a good idea.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
