This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 7709 - Prevent PUT/DELETE cross-origin
Summary: Prevent PUT/DELETE cross-origin
Alias: None
Product: HTML WG
Classification: Unclassified
Component: pre-LC1 HTML5 spec (editor: Ian Hickson) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Target Milestone: ---
Assignee: Ian 'Hixie' Hickson
QA Contact: HTML WG Bugzilla archive list
Keywords: NE, NoReply
Depends on:
Reported: 2009-09-23 12:38 UTC by Anne
Modified: 2010-10-04 13:55 UTC (History)
5 users (show)

See Also:


Description Anne 2009-09-23 12:38:14 UTC
I think it is great that PUT and DELETE are now supported in HTML Forms but I think we cannot make them go cross-origin without introducing new potential attacks so they need to be behind a same-origin check. This is certainly not ideal, but I do not see any other way of making this work perhaps short of using CORS, but I'm not sure we want to go there just yet.
Comment 1 contributor 2009-09-29 09:29:22 UTC
Checked in as WHATWG revision r4042.
Check-in comment: Block cross-origin PUT and DELETE from <form>s for now.
Comment 2 Julian Reschke 2009-09-29 09:41:01 UTC
How exactly are PUT and DELETE more dangerous than POST?
Comment 3 Anne 2009-09-29 09:46:23 UTC
If allowed, they would be new attack vectors. This bug is fixed. If you disagree with this bug it seems better to file a new one.
Comment 4 Maciej Stachowiak 2010-03-14 14:51:41 UTC
This bug predates the HTML Working Group Decision Policy.

If you are satisfied with the resolution of this bug, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:

This bug is now being moved to VERIFIED. Please respond within two weeks. If this bug is not closed, reopened or escalated within two weeks, it may be marked as NoReply and will no longer be considered a pending comment.