Jonas Sicking wrote:
Actually, once we're supporting cross site GET requests, I think we
there should definitely mention that the entity body of GET (and
probably HEAD) requests are dropped. Otherwise there is some risk that
there are servers out there that will do dangerous things when receiving
GET requests with an entity body, such as treat it as a POST.
This seems like just one more argument for explicitly stating that the
entity body for GET should be dropped at an XHR level.
...
Well, no.
If this really is a problem, then it would be reason to disallow request
bodies for *any* method on cross-site requests.
BR, Julian