Anne, It is true that the web developer might choose to put the access control information within XML content via a PI entity body might hold an access control PI. In that case, the only way to go is GET. However, for non-XML workflows such as JSON (and that's what the Ajax guys are focused on these days), then they have to use the HTTP header approach, in which case HEAD is the preferred way to go if all you want to do is determine if POST is allowed and you don't want a content block sent back to the client.
Jon
"Anne van
Kesteren"
<[EMAIL PROTECTED] To
> Jon Ferraiolo/Menlo Park/[EMAIL
PROTECTED],
"Web Application Formats Working
01/04/2008 10:29 Group WG"
AM <[email protected]>
cc
Subject
Re: ISSUE-18: Is JSONRequest an
acceptable alternative to the
current model? [Access Control]
On Fri, 04 Jan 2008 19:15:32 +0100, Jon Ferraiolo <[EMAIL PROTECTED]>
wrote:
> Based on what Kris says above, it seems to me that both HEAD and GET need
> to be supported in order to comply with the HTTP spec.
It seems that Kris was not aware that the entity body of the response is
significant and that therefore there is a difference. I mentioned this in
my earlier reply to you.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
<<inline: graycol.gif>>
<<inline: pic28524.gif>>
<<inline: ecblank.gif>>
