Open
Description
What problem are you trying to solve?
There are HTTP methods defined to be "safe" which nevertheless require CORS preflights.
What solutions exist today?
Non (AFAIU) expect to do the preflight.
How would you solve it?
Adding to the defined in
https://fetch.spec.whatwg.org/#cors-safelisted-method
In theory we could discuss this for some WebDAV methods as well (PROPFIND etc), but what's more important would be QUERY once it's there.
Anything else?
No response
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Activity
annevk commentedon Sep 19, 2024
No, the safelisted methods are essentially part of the web's same-origin policy. Extending the list would subvert server expectations.
reschke commentedon Sep 19, 2024
I'm not surprised, but I wanted to see this written down in order to resolve discussions for QUERY.
reschke commentedon Sep 19, 2024
Maybe a comment about the non-extensibility of the safe methods/fields/media types could be added somwhere so it would be possible to link to it? (apologies if it's already there)
annevk commentedon Sep 19, 2024
Yeah that's fair. Perhaps there should be a short "Same-origin policy" section in the "Background reading" appendix.
reschke commentedon Oct 17, 2024
@annevk - are you still planning to do this? Alternatively we could either stay silent about the topic, or briefly say what you said above. But my preference would be to point somewhere else...
annevk commentedon Oct 17, 2024
Eventually, yes, but I'm not actively working on this at the moment.
reschke commentedon Nov 13, 2024
For now, see httpwg/http-extensions#2947