Go-ethereum: Disallow PUT and DELETE on HTTP RPC

Created on 15 Nov 2017  路  2Comments  路  Source: ethereum/go-ethereum

Our HTTP RPC endpoint currently accepts requests on all request verbs (https://github.com/ethereum/go-ethereum/issues/15490#issuecomment-344618139). Perhaps we shouldn't do so blindly to avoid weird combinations that could potentially circumvent CORS? Would be nice to drop support for PUT and DELETE altogether, and think a bit about the others.

good first issue help wanted
Source
picture karalabe

All 2 comments

I can grab this.

What's the desired response and message for PUT and DELETE requests? 405 with any particular wording (if not we can probably just use Go's http.StatusText method for the error message)?

armaniferrante picture armaniferrante on 16 Nov 2017
👍1

You can use "method not allowed". That's usually the style with Go's built in HTTP errors too, just a lowercase string of the error itself.

karalabe picture karalabe on 16 Nov 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

aakilfernandes picture aakilfernandes  路  3Comments
JMaxU picture JMaxU  路  3Comments
tymat picture tymat  路  3Comments
VoR0220 picture VoR0220  路  3Comments
bgrieder picture bgrieder  路  3Comments