Blindly standardising what one vendor does doesn't make sense; do you
know *why* they consider it a security feature?
The reputed security problems with various HTTP methods have been
brought up many times, but I have yet to see an explanation of how
they actually cause a security issue greater than supporting POST does.
Cheers,
On 2006/06/07, at 2:38 PM, Hallvord R. M. Steen wrote:
On Wed, 31 May 2006 18:59:54 +0200, Julian Reschke
<[EMAIL PROTECTED]> wrote:
first of all, I checked current implementations, using the verbs
GET (RFC2616), PROPFIND (RFC2518), REPORT (RFC3253) and FOOBAR
(undefined).
Group A:
IE6 (MSXML): pass (all methods sent as-is)
Firefox 1.5: pass
Firefox 2.0 alpha (Bon Echo): pass
Group B:
IE7 beta2: passed PROPFIND, put rejects REPORT and FOOBAR with a
runtime exception
I have been told that this change in IE7 is very much deliberate
and considered a security feature. We should standardise this.
--
Hallvord R. M. Steen
Core QA JavaScript tester, Opera Software
http://www.opera.com/
Opera - simply the best Internet experience
--
Mark Nottingham
[EMAIL PROTECTED]
