Can the set of safelisted methods be extended? #1774
Comments
reschke
added
addition/proposal
|
No, the safelisted methods are essentially part of the web's same-origin policy. Extending the list would subvert server expectations. |
|
I'm not surprised, but I wanted to see this written down in order to resolve discussions for QUERY. |
|
Maybe a comment about the non-extensibility of the safe methods/fields/media types could be added somwhere so it would be possible to link to it? (apologies if it's already there) |
|
Yeah that's fair. Perhaps there should be a short "Same-origin policy" section in the "Background reading" appendix. |
|
@annevk - are you still planning to do this? Alternatively we could either stay silent about the topic, or briefly say what you said above. But my preference would be to point somewhere else... |
annevk
added
clarification
|
Eventually, yes, but I'm not actively working on this at the moment. |
What problem are you trying to solve?
There are HTTP methods defined to be "safe" which nevertheless require CORS preflights.
What solutions exist today?
Non (AFAIU) expect to do the preflight.
How would you solve it?
Adding to the defined in
https://fetch.spec.whatwg.org/#cors-safelisted-method
In theory we could discuss this for some WebDAV methods as well (PROPFIND etc), but what's more important would be QUERY once it's there.
Anything else?
No response
The text was updated successfully, but these errors were encountered: