RE: XMLHttpRequest for Last Call

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: XMLHttpRequest for Last Call

Sunava Dutta

Hello Julian,
We do currently support all WebDAV HTTP verbs from RFC2518.

        PROPFIND
        PROPPATCH
        MKCOL
        GET
        HEAD
        POST
        DELETE
        PUT
        COPY
        MOVE
        LOCK
        UNLOCK

And also OPTIONS.

Details available here:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml
/reference/objects/obj_xmlhttprequest.asp

Thanks!


-----Original Message-----
From: Julian Reschke [mailto:[hidden email]]
Sent: Sunday, February 18, 2007 2:07 PM
To: Sunava Dutta
Cc: Web API WG (public); Zhenbin Xu
Subject: Re: XMLHttpRequest for Last Call

Sunava Dutta schrieb:
>
> This is fantastic, we took a look at the working draft and it looks
great.
> The IE team's looking forward to seeing it published!

Good to hear.

Are you actually planning to implement it? Such as support for WebDAV
method names? (remember that's a SHOULD-level requirement).

Best regards, Julian



Reply | Threaded
Open this post in threaded view
|

RE: XMLHttpRequest for Last Call

Julian Reschke

Sunava Dutta schrieb:

> Hello Julian,
> We do currently support all WebDAV HTTP verbs from RFC2518.
>
> PROPFIND
> PROPPATCH
> MKCOL
> GET
> HEAD
> POST
> DELETE
> PUT
> COPY
> MOVE
> LOCK
> UNLOCK
>
> And also OPTIONS.
>
> Details available here:
> http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml
> /reference/objects/obj_xmlhttprequest.asp

It's nice to know that you (know) allow the methods that you implement
in Microsoft products. But what about other methods specified in IETF
RFCs (RFC3253, RFC3648, RFC3744, ...) -- not invented here, thus evil?
They (still) do not work. What's the point in putting known methods into
a white list? By definition, POST is the most insecure methods because
it can do *anything*, so why restrict anything at all if you allow POST?

Best regards, Julian

Reply | Threaded
Open this post in threaded view
|

Re: XMLHttpRequest for Last Call

William Edney
In reply to this post by Sunava Dutta
Hi Sunava -

It should be made clear that these methods work *only* with IE's 'ActiveX' http object. The new built-in IE7 'native XMLHttpRequest' object has the following restrictions, according to the Microsoft website:

- Limited to GET, POST and HEAD HTTP verbs
- Limited to http:// or https:// protocols
- Limited to same port, host and domain

Cheers,

- Bill

William J. Edney
Team TIBET

On Feb 26, 2007, at 4:43 PM, Sunava Dutta wrote:


Hello Julian,
We do currently support all WebDAV HTTP verbs from RFC2518.

PROPFIND
PROPPATCH
MKCOL
GET
HEAD
POST
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK

And also OPTIONS.

Details available here:
/reference/objects/obj_xmlhttprequest.asp

Thanks!


-----Original Message-----
From: Julian Reschke [[hidden email]] 
Sent: Sunday, February 18, 2007 2:07 PM
To: Sunava Dutta
Cc: Web API WG (public); Zhenbin Xu
Subject: Re: XMLHttpRequest for Last Call

Sunava Dutta schrieb:

This is fantastic, we took a look at the working draft and it looks
great.
The IE team's looking forward to seeing it published!

Good to hear.

Are you actually planning to implement it? Such as support for WebDAV 
method names? (remember that's a SHOULD-level requirement).

Best regards, Julian





!DSPAM:45e362fa94931240465853!

William J. Edney
Product Evangelist, Team TIBET
314.757.9200



Reply | Threaded
Open this post in threaded view
|

Re: XMLHttpRequest for Last Call

Julian Reschke

William J. Edney schrieb:
> Hi Sunava -
>
> It should be made clear that these methods work *only* with IE's
> 'ActiveX' http object. The new built-in IE7 'native XMLHttpRequest'

That's why I raised a bug report calling that a regression
(<https://connect.microsoft.com/feedback/ViewFeedback.aspx?SiteID=136&FeedbackID=83800>,
not offline...)

> object has the following restrictions, according to the Microsoft website:
>
> - Limited to GET, POST and HEAD HTTP verbs
> - Limited to http:// or https:// protocols
> - Limited to same port, host and domain
>
> Cheers,
>
> - Bill

Well, even that information is incorrect - PROPFIND works (see
<http://lists.w3.org/Archives/Public/public-webapi/2006May/0209.html>).

Best regards, Julian


Reply | Threaded
Open this post in threaded view
|

Re: XMLHttpRequest for Last Call

William Edney
In reply to this post by William Edney
Sunava -

My bad. I could've sworn there was a page that mentioned that the native object only supported GET, POST and HEAD. This would've been around August time frame. Did this get changed before the final release of IE7? I guess I'm just getting old :-).

Note that the Microsoft page describing the call does have the words 'subset of HTTP verbs', but I guess from that its talking about the lack of support for CONNECT and TRACE.

Thanks for taking the time to respond.

Cheers,

- Bill


On Feb 27, 2007, at 2:52 PM, Sunava Dutta wrote:

Hello William,

Which site are you referring to? I’ll take a look and verify.

The information is incorrect.

 

From: William J. Edney [[hidden email]]
Sent: Monday, February 26, 2007 4:35 PM
To: Sunava Dutta
Cc: [hidden email]; [hidden email]
Subject: Re: XMLHttpRequest for Last Call

 

Hi Sunava -

 

It should be made clear that these methods work *only* with IE's 'ActiveX' http object. The new built-in IE7 'native XMLHttpRequest' object has the following restrictions, according to the Microsoft website:

 

- Limited to GET, POST and HEAD HTTP verbs

- Limited to http:// or https:// protocols

- Limited to same port, host and domain

 

Cheers,

 

- Bill

 

William J. Edney

Team TIBET

 

On Feb 26, 2007, at 4:43 PM, Sunava Dutta wrote:



 

Hello Julian,

We do currently support all WebDAV HTTP verbs from RFC2518.

 

            PROPFIND

            PROPPATCH

            MKCOL

            GET

            HEAD

            POST

            DELETE

            PUT

            COPY

            MOVE

            LOCK

            UNLOCK

 

And also OPTIONS.

 

Details available here:

/reference/objects/obj_xmlhttprequest.asp

 

Thanks!

 

 

-----Original Message-----

From: Julian Reschke [[hidden email]] 

Sent: Sunday, February 18, 2007 2:07 PM

To: Sunava Dutta

Cc: Web API WG (public); Zhenbin Xu

Subject: Re: XMLHttpRequest for Last Call

 

Sunava Dutta schrieb:

 

This is fantastic, we took a look at the working draft and it looks

great.

The IE team's looking forward to seeing it published!

 

Good to hear.

 

Are you actually planning to implement it? Such as support for WebDAV 

method names? (remember that's a SHOULD-level requirement).

 

Best regards, Julian

 

 

 

 

 

 

William J. Edney

Product Evangelist, Team TIBET

314.757.9200

 



 

!DSPAM:45e49ab7198847269712395!

William J. Edney
Product Evangelist, Team TIBET
314.757.9200