annevk
commented
2 months ago No, the safelisted methods are essentially part of the web's same-origin policy. Extending the list would subvert server expectations.
Open reschke opened 2 months ago
annevk
commented
2 months ago No, the safelisted methods are essentially part of the web's same-origin policy. Extending the list would subvert server expectations.
reschke
commented
2 months ago I'm not surprised, but I wanted to see this written down in order to resolve discussions for QUERY.
reschke
commented
2 months ago Maybe a comment about the non-extensibility of the safe methods/fields/media types could be added somwhere so it would be possible to link to it? (apologies if it's already there)
annevk
commented
2 months ago Yeah that's fair. Perhaps there should be a short "Same-origin policy" section in the "Background reading" appendix.
reschke
commented
1 month ago @annevk - are you still planning to do this? Alternatively we could either stay silent about the topic, or briefly say what you said above. But my preference would be to point somewhere else...
annevk
commented
1 month ago Eventually, yes, but I'm not actively working on this at the moment.
reschke
commented
1 week ago For now, see https://github.com/httpwg/http-extensions/pull/2947
What problem are you trying to solve?
There are HTTP methods defined to be "safe" which nevertheless require CORS preflights.
What solutions exist today?
Non (AFAIU) expect to do the preflight.
How would you solve it?
Adding to the defined in
https://fetch.spec.whatwg.org/#cors-safelisted-method
In theory we could discuss this for some WebDAV methods as well (PROPFIND etc), but what's more important would be QUERY once it's there.
Anything else?
No response