On Fri, 04 Jan 2008 19:42:03 +0100, Jon Ferraiolo <[EMAIL PROTECTED]>
wrote:
It is true that the web developer might choose to put the access control
information within XML content via a PI entity body might hold an access
control PI. In that case, the only way to go is GET. However, for non-XML
workflows such as JSON (and that's what the Ajax guys are focused on
these
days), then they have to use the HTTP header approach, in which case HEAD
is the preferred way to go if all you want to do is determine if POST is
allowed and you don't want a content block sent back to the client.
For the authorization request format details don't matter. Even if you use
JSON you could still use XML for the authorizatoin request response. That
response could also have an empty entity body in which case there's not
really any noticeable difference.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
