On Thu, 03 Jan 2008 19:13:13 +0100, Jon Ferraiolo <[EMAIL PROTECTED]>
wrote:
Over at OpenAjax Alliance, we have had some recent discussion about
Access Control and were wondering whether it was possible to use HEAD or
OPTIONS
instead of GET in order to find out if the server allows cross-site POST
(or DELETE). There have been comments that if the primary goal is to
determine if POST is allowed, then it is more consistent with HTTP
guidelines to issue a GET or OPTIONS rather than only supporting GET.
Servers can't be easily made to respond to OPTIONS so therefore we use
GET. GET also allows for taking the entity body into account in case of
XML files. Given that we need GET I'm not sure what use it would be to
allow OPTIONS in addition. There are after all (obvious) downsides to such
an approach such as the OPTIONS way giving a different response and some
user agents following the OPTIONS route and some others the GET, etc.
Seems messy.
BTW - It would be nice if the WAF WG home page had a link to the latest
editorial draft in addition to the latest public draft.
The latest editor's draft can be found here:
http://dev.w3.org/2006/waf/access-control/
It seems that Art (thanks!) updated the home page today to include a
pointer to that draft.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
