On 22.09.2010 20:25, Jonas Sicking wrote:
...
For PROPFIND (and other methods defined to be "safe"): it really doesn't
make sense to do a preflight OPTIONS for PROPFIND. Both are defined to be
safe. Both could have broken server implementations.
Note that the OPTIONS request always has an empty request body. The
PROPFIND request on the other hand can have an arbitrary body set by
the web page author. So it is much more likely that the latter can be
used to attack a server I would imagine.
...
An OPTIONS request can have an almost arbitrary long URI.
Anyway, this isn't rational anymore. PROPFIND is well understood and it
*is* safe. If you fear to do damage with a PROPFIND request than you
really should think twice before doing HTTP at all.
Best regards, Julian
