The current vague state of PUT and DELETE in HTML5

If you followed my REST in peace presentation, you probably noted that I was a bit angry against HTML5.

The story is pretty straightforward: the original working draft included also PUT and DELETE verbs in the forms’ method attribute, while, one year ago, an update to the draft removed them.

A month ago I announced that the working group was reconsidering its decision after the suggestions of Mike Amundsen: shortly after, we have a new proposal, which carries on the management of HTTP headers in the forms.

I still don’t know if the proposal will be implemented in HTML5, but imagine a world with:

HTTP headers in HTML forms
1
2
3
4
5
6
7
8
9
<form action="/users/1" method="PUT">
  <input type="header" name="Authorization" value="BASIC"/>
  <input type="hidden" name="realm" value="[email protected]"/>

  <input type="text" name="username"/>
  <input type="email" name="username"/>
  <input type="password" name="password"/>
        ...
</form>

Hi there! I recently wrote an ebook on web application security, currently sold on leanpub, the Amazon Kindle store and gumroad.

It contains 160+ pages of content dedicated to securing web applications and improving your security awareness when building web apps, with chapters ranging from explaining how to secure HTTP cookies with the right flags to understanding why it is important to consider joining a bug bounty program.

Feel free to skim through some of the free chapters published on this blog and, if the content seems interesting enough to you, grab a copy on leanpub, the Amazon Kindle store, gumroad or simply checkout right down below!

Buy the Web Application Security ebook for $6.99

In the mood for some more reading?

...or check the archives.