On 2007-11-05 00:25:39 -0800, Jonas Sicking wrote: > What I'm not thrilled about in the current spec, and I think > Thomas touched on this in this thread, is that we're mixing > server-side and client-side authentication when performing > non-GET authorization.
> On one had we're sending both the requesting domain (in > Referer-Root) and the requested method (in Method-Check?) to the > server. This is enough data for the server to simply send back a > yes/no reply. > But then we're letting the server send back both a set of allowed > domains (in Access-Control/<?access-control?>) and a set of > allowed methods (in Allow). This data too would be enough on its > own to make a yes/no decision about if to authorize the non-GET > request. > Why do we solve the problem twice? +100 to that point. We should be clear the processing model is (and pick one!), and we should also be clear what use case the language addresses. Is this a language for users to inform their web servers, or is this a language for servers to inform user agents? -- Thomas Roessler, W3C <[EMAIL PROTECTED]>
