Can the set of safelisted methods be extended?

[reschke]

What problem are you trying to solve?

There are HTTP methods defined to be "safe" which nevertheless require CORS preflights.

What solutions exist today?

Non (AFAIU) expect to do the preflight.

How would you solve it?

Adding to the defined in

https://fetch.spec.whatwg.org/#cors-safelisted-method

In theory we could discuss this for some WebDAV methods as well (PROPFIND etc), but what's more important would be QUERY once it's there.

Anything else?

No response

[annevk]

No, the safelisted methods are essentially part of the web's same-origin policy. Extending the list would subvert server expectations.

[reschke]

I'm not surprised, but I wanted to see this written down in order to resolve discussions for QUERY.

[reschke]

Maybe a comment about the non-extensibility of the safe methods/fields/media types could be added somwhere so it would be possible to link to it? (apologies if it's already there)

[annevk]

Yeah that's fair. Perhaps there should be a short "Same-origin policy" section in the "Background reading" appendix.

[reschke]

@annevk - are you still planning to do this? Alternatively we could either stay silent about the topic, or briefly say what you said above. But my preference would be to point somewhere else...

[annevk]

Eventually, yes, but I'm not actively working on this at the moment.

[reschke]

For now, see httpwg/http-extensions#2947