Skip to content

Can the set of safelisted methods be extended? #1774

Open
@reschke

Description

@reschke

What problem are you trying to solve?

There are HTTP methods defined to be "safe" which nevertheless require CORS preflights.

What solutions exist today?

Non (AFAIU) expect to do the preflight.

How would you solve it?

Adding to the defined in

https://fetch.spec.whatwg.org/#cors-safelisted-method

In theory we could discuss this for some WebDAV methods as well (PROPFIND etc), but what's more important would be QUERY once it's there.

Anything else?

No response

Activity

annevk

annevk commented on Sep 19, 2024

@annevk
Member

No, the safelisted methods are essentially part of the web's same-origin policy. Extending the list would subvert server expectations.

reschke

reschke commented on Sep 19, 2024

@reschke
Author

I'm not surprised, but I wanted to see this written down in order to resolve discussions for QUERY.

reschke

reschke commented on Sep 19, 2024

@reschke
Author

Maybe a comment about the non-extensibility of the safe methods/fields/media types could be added somwhere so it would be possible to link to it? (apologies if it's already there)

annevk

annevk commented on Sep 19, 2024

@annevk
Member

Yeah that's fair. Perhaps there should be a short "Same-origin policy" section in the "Background reading" appendix.

reopened this on Sep 19, 2024
reschke

reschke commented on Oct 17, 2024

@reschke
Author

@annevk - are you still planning to do this? Alternatively we could either stay silent about the topic, or briefly say what you said above. But my preference would be to point somewhere else...

added and removed
needs implementer interestMoving the issue forward requires implementers to express interest
on Oct 17, 2024
annevk

annevk commented on Oct 17, 2024

@annevk
Member

Eventually, yes, but I'm not actively working on this at the moment.

reschke

reschke commented on Nov 13, 2024

@reschke
Author
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

      Participants

      @reschke@annevk

      Issue actions

        Can the set of safelisted methods be extended? · Issue #1774 · whatwg/fetch