Comments:
* "It should not be possible to perform cross-site non-safe operations, i.e., HTTP operations except for GET, HEAD, and OPTIONS, without a method check requestbeing performed." -- this specifies a solution in the requirements.
* "Must be deployable to IIS and Apache without requiring actions by the server administrator in a configuration where the user can upload static files, run serverside scripts (such as PHP, ASP, and CGI), control HTTP headers, and control authorization, but only do this for URIs under a given set of subdirectories on the server." This is incredibly specific; neither p3p.xml nor robots.txt supports the last condition, and yet that hasn't stopped their deployment. This also isn't motivated by any of the use cases. I dispute that this is a real requirement.
* "It should be possible to issue methods other than GET to the server, such as POST and DELETE." Add to this: "The solution must not unduly penalise use of methods other than GET, e.g., with performance degradation. Likewise, it must not penalise use of a particular style of URI, or the use of a large number of URIs."
-- Mark Nottingham [EMAIL PROTECTED]
