Henri Sivonen wrote:
On Oct 9, 2007, at 15:22, Thomas Roessler wrote:
The POST might change the state of that resource.
Why do we believe that it won't change the access-control policy
associated with the resource?
What would be associated with the URI in a way that bypasses HTTP
caching is knowledge about the capability of the server-side app to deal
with cross-domain POSTs. It would be radically abnormal for an app to
lose its capability to deal with cross-domain POSTs as the result of an
earlier POST.
OTOH, having a time-to-live value for the cross-domain method
authorization makes sense, because services may otherwise change over time.
What we could do is to add a header to the response of the GET, targeted
specifically at access-control implementations, stating that the
access-control implementation is allowed to store the result of the
access-check for some specified amount of time.
Alternatively we could just give up on caching this and either say that
POST is going to be slow, or say that POST doesn't need an access check.
I'm still reluctant to do the latter though.
/ Jonas
