On Thu, 8 Jun 2006, Charles McCathieNevile wrote: > > > > Please be more specific. POST today allows *anything*. > > Well, POST allows you to send anything. DELETE and PUT actually have > semantics that make them much more dangerous (and much more useful, if > you're building very simple publishing systems).
Just to be clear: from a security standpoint, none of those are a problem. They all just affect the target host. There are FAR more dangerous methods, for example CONNECT. The risk is not that the first-party server might be attacked, since the first-party server is the only server we _don't_ care about attacking. The risks are for things _other_ than the first-party server. For example, a proxy server. One example of a risk would be a proxy server between the user and the third-party host having a bug with long method names. Or having a bug with certain non-standard method names. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
