On Oct 9, 2007, at 15:22, Thomas Roessler wrote:
The POST might change the state of that resource. Why do we believe that it won't change the access-control policy associated with the resource?
What would be associated with the URI in a way that bypasses HTTP caching is knowledge about the capability of the server-side app to deal with cross-domain POSTs. It would be radically abnormal for an app to lose its capability to deal with cross-domain POSTs as the result of an earlier POST.
OTOH, having a time-to-live value for the cross-domain method authorization makes sense, because services may otherwise change over time.
-- Henri Sivonen [EMAIL PROTECTED] http://hsivonen.iki.fi/
