Mark Nottingham wrote:
Comments:
* "It should not be possible to perform cross-site non-safe operations,
i.e., HTTP operations except for GET, HEAD, and OPTIONS, without a
method check requestbeing performed." -- this specifies a solution in
the requirements.
I agree the link should be removed. And I guess saying "without first
checking that the server is ok with this" might be more generic wording?
* "Must be deployable to IIS and Apache without requiring actions by the
server administrator in a configuration where the user can upload static
files, run serverside scripts (such as PHP, ASP, and CGI), control HTTP
headers, and control authorization, but only do this for URIs under a
given set of subdirectories on the server." This is incredibly specific;
neither p3p.xml nor robots.txt supports the last condition, and yet that
hasn't stopped their deployment. This also isn't motivated by any of the
use cases. I dispute that this is a real requirement.
Unfortunately the part of being specific was requested. I would have
much rather said that it should be deployable in typical server
configurations.
Regarding only being able to control responses under certain
directories, I think this is a pretty common setup. That's the
configuration we used at my university where I could only control
resources under /~e97_jsi, and it's the case at work where I can only
control resources under /~sicking.
* "It should be possible to issue methods other than GET to the server,
such as POST and DELETE." Add to this: "The solution must not unduly
penalise use of methods other than GET, e.g., with performance
degradation. Likewise, it must not penalise use of a particular style of
URI, or the use of a large number of URIs."
Sounds good to me. The only thing is that it sounds like it's ok to
penalize GET requests. Maybe instead adding a new requirement:
The solution must not unduly penalise cross-site requests with
performance degradation. Likewise, it must not unduly penalise use of a
particular style of URI, or the use of a large number of URIs.
/ Jonas
