This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
I think it is great that PUT and DELETE are now supported in HTML Forms but I think we cannot make them go cross-origin without introducing new potential attacks so they need to be behind a same-origin check. This is certainly not ideal, but I do not see any other way of making this work perhaps short of using CORS, but I'm not sure we want to go there just yet.
Checked in as WHATWG revision r4042. Check-in comment: Block cross-origin PUT and DELETE from <form>s for now. http://html5.org/tools/web-apps-tracker?from=4041&to=4042
How exactly are PUT and DELETE more dangerous than POST?
If allowed, they would be new attack vectors. This bug is fixed. If you disagree with this bug it seems better to file a new one.
This bug predates the HTML Working Group Decision Policy. If you are satisfied with the resolution of this bug, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html This bug is now being moved to VERIFIED. Please respond within two weeks. If this bug is not closed, reopened or escalated within two weeks, it may be marked as NoReply and will no longer be considered a pending comment.