-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can the set of safelisted methods be extended? #1774
Comments
No, the safelisted methods are essentially part of the web's same-origin policy. Extending the list would subvert server expectations. |
I'm not surprised, but I wanted to see this written down in order to resolve discussions for QUERY. |
Maybe a comment about the non-extensibility of the safe methods/fields/media types could be added somwhere so it would be possible to link to it? (apologies if it's already there) |
Yeah that's fair. Perhaps there should be a short "Same-origin policy" section in the "Background reading" appendix. |
@annevk - are you still planning to do this? Alternatively we could either stay silent about the topic, or briefly say what you said above. But my preference would be to point somewhere else... |
Eventually, yes, but I'm not actively working on this at the moment. |
For now, see httpwg/http-extensions#2947 |
What problem are you trying to solve?
There are HTTP methods defined to be "safe" which nevertheless require CORS preflights.
What solutions exist today?
Non (AFAIU) expect to do the preflight.
How would you solve it?
Adding to the defined in
https://fetch.spec.whatwg.org/#cors-safelisted-method
In theory we could discuss this for some WebDAV methods as well (PROPFIND etc), but what's more important would be QUERY once it's there.
Anything else?
No response
The text was updated successfully, but these errors were encountered: