On Oct 15, 2007, at 22:29, Ian Hickson wrote:
We can't use OPTIONS because Apache returns Allow: GET,HEAD,POST,OPTIONS,TRACE ...by default, which would basically mean that out of the box, any resource that support cross-site GET would automatically support cross-site POST.
This could be remedied by using a newly named header in the OPTIONS response (e.g. Method-Allow). As a further benefit, introducing new headers would allow the caching outlined in Anne's message.
Also, OPTIONS doesn't return a body, which is useful to authors who want to include the cross-domain rights in XML PIs rather than HTTP headers.
Do bad things happen if you do return an entity body in an OPTIONS response? Moreover, what's the point of using PIs if you have control over HTTP headers?
-- Henri Sivonen [EMAIL PROTECTED] http://hsivonen.iki.fi/
