Ian Hickson schrieb:
On Wed, 7 Jun 2006, Mark Nottingham wrote:
Blindly standardising what one vendor does doesn't make sense; do you
know *why* they consider it a security feature?
The reputed security problems with various HTTP methods have been
brought up many times, but I have yet to
Charles McCathieNevile schrieb:
POST could be used to do so, but there is nothing in its defined
semantics that forces it to be used like that. POST hands the body to
something and says do with this as you see fit, PUT says begone, this
is your replacement.
Well. A server may replace a
On Thu, 08 Jun 2006 22:56:51 +1000, Julian Reschke [EMAIL PROTECTED]
wrote:
I'd like to pick up the discussion I started several weeks ago (see
http://lists.w3.org/Archives/Public/public-webapi/2006Apr/0305.html
and copy below)...
In the meantime I've discussed the issue with Roy F.,
Bjoern Hoehrmann schrieb:
* Julian Reschke wrote:
[...]
Could you propose specific text to be included in the specification with
respect to support for HTTP methods? It is not clear to me why we are
still discussing this, so having clear proposals for text would help a
lot.
Fair enough.
On Thu, 08 Jun 2006 23:54:53 +1000, Julian Reschke [EMAIL PROTECTED]
wrote:
... it exposes users to a potential security risk, and there's nothing
the user can do about it except disabling scripting. I think that is a
problem.
SURE. That doesn't make it a bug per se. It also exposes
Boris Zbarsky schrieb:
Charles McCathieNevile wrote:
... it exposes users to a potential security risk, and there's
nothing the user can do about it except disabling scripting. I think
that is a problem.
SURE. That doesn't make it a bug per se. It also exposes the user to a
bunch of
Julian Reschke wrote:
Well, what I'm concerned with is form.submit() and XHR/PUT/DELETE in
things like onload events.
Yes, I'm aware of your position. My mail was a response to a specific statement
that Charles made, not a general response to the whole thread.
-Boris
+1
On 2006/06/08, at 6:34 AM, Julian Reschke wrote:
Charles McCathieNevile schrieb:
POST could be used to do so, but there is nothing in its defined
semantics that forces it to be used like that. POST hands the body
to something and says do with this as you see fit, PUT says
begone,
On 2006/06/08, at 6:41 AM, Charles McCathieNevile wrote:
There is a convention that you don't use GET for things with side
effects, but there is nothing that enforces that convention.
Caching proxies
Search engines and other automated processes
Google Web accelerator
I think it's very
On Thu, 8 Jun 2006, Charles McCathieNevile wrote:
Please be more specific. POST today allows *anything*.
Well, POST allows you to send anything. DELETE and PUT actually have
semantics that make them much more dangerous (and much more useful, if
you're building very simple publishing
10 matches
Mail list logo
