Julian Reschke wrote:
Jonas Sicking wrote:
Disagreed. Please do not try to standardize HTTP APIs that profile
what HTTP allows.
XHR already disallows a lot of things that HTTP allows. Setting
certain headers, cross site requests, etc. Why is this different?
XHR should only disallow things when there's a good reason to do so,
that is, when the fact that XHR requests can be invoked by client-side
script in HTML pages affects the security picture.
I don't see what that would have to do with GET bodies.
Interoperability is IMHO a pretty good reason. I can't say I care super
much, but I still don't see any value in allowing bodies with GET requests.
But I do think that the spec does need to say something. Staying silent
and hoping that people won't depend on unspecified things is a tried and
failed method.
/ Jonas