Here's a suggestion: The solution should not introduce additional attack vectors against services that are protected only by way of firewalls. This requirement ddresses "intranet" style services authorize any requests that can be sent to the service.
Note that this requirement does not preclude HEAD, OPTIONS, or GET requests (even with ambient authentication and session information). I would suggest to refrain from any further discussion of what is or is not possible. -- Thomas Roessler, W3C <[EMAIL PROTECTED]>
