Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can the set of safelisted methods be extended? #1774

Open
reschke opened this issue Sep 19, 2024 · 7 comments
Open

Can the set of safelisted methods be extended? #1774

reschke opened this issue Sep 19, 2024 · 7 comments
Labels
clarification Standard could be clearer

Comments

@reschke
Copy link

reschke commented Sep 19, 2024

What problem are you trying to solve?

There are HTTP methods defined to be "safe" which nevertheless require CORS preflights.

What solutions exist today?

Non (AFAIU) expect to do the preflight.

How would you solve it?

Adding to the defined in

https://fetch.spec.whatwg.org/#cors-safelisted-method

In theory we could discuss this for some WebDAV methods as well (PROPFIND etc), but what's more important would be QUERY once it's there.

Anything else?

No response

@reschke reschke added addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest labels Sep 19, 2024
@annevk
Copy link
Member

annevk commented Sep 19, 2024

No, the safelisted methods are essentially part of the web's same-origin policy. Extending the list would subvert server expectations.

@reschke
Copy link
Author

reschke commented Sep 19, 2024

I'm not surprised, but I wanted to see this written down in order to resolve discussions for QUERY.

@annevk annevk closed this as not planned Won't fix, can't repro, duplicate, stale Sep 19, 2024
@reschke
Copy link
Author

reschke commented Sep 19, 2024

Maybe a comment about the non-extensibility of the safe methods/fields/media types could be added somwhere so it would be possible to link to it? (apologies if it's already there)

@annevk
Copy link
Member

annevk commented Sep 19, 2024

Yeah that's fair. Perhaps there should be a short "Same-origin policy" section in the "Background reading" appendix.

@annevk annevk reopened this Sep 19, 2024
@reschke
Copy link
Author

reschke commented Oct 17, 2024

@annevk - are you still planning to do this? Alternatively we could either stay silent about the topic, or briefly say what you said above. But my preference would be to point somewhere else...

@annevk annevk added clarification Standard could be clearer and removed addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest labels Oct 17, 2024
@annevk
Copy link
Member

annevk commented Oct 17, 2024

Eventually, yes, but I'm not actively working on this at the moment.

@reschke
Copy link
Author

reschke commented Nov 13, 2024

For now, see httpwg/http-extensions#2947

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
clarification Standard could be clearer
Development

No branches or pull requests

2 participants