On Wed, Sep 22, 2010 at 12:16 PM, Anne van Kesteren <[email protected]> wrote: > On Wed, 22 Sep 2010 20:19:08 +0200, Julian Reschke <[email protected]> > wrote: >> >> For PROPFIND (and other methods defined to be "safe"): it really doesn't >> make sense to do a preflight OPTIONS for PROPFIND. Both are defined to be >> safe. Both could have broken server implementations. > > We don't want to keep updating the "safe" list. So they're all "unsafe". Or > maybe not "unsafe", just not compatible with HTML forms.
What we're really concerned about here is the HTML/SVG/web/whathaveyou same-origin security model that browsers implement and servers generally rely on. This model only allows cross-origin requests that use get/head/post-with-some-content-types. So that might be the term to use here. / Jonas
