On Thu, Sep 23, 2010 at 2:17 AM, Julian Reschke <[email protected]> wrote: > Also, somewhere else it was pointed out that OPTIONS differs from PROPFIND > in that PROPFIND can have a body. So can OPTIONS (see, for instance, > <http://greenbytes.de/tech/webdav/rfc3253.html#rfc.section.6.4>).
I was saying that the OPTIONS requests which are sent by CORS implementations preflight requests, and thus can be sent to any server, never have a request body. They are thus very limited in their ability to hack a server. The fact that other specs use OPTIONS in other ways does not change this. / Jonas
