Is the user or the Referer-Root site accountable for a cross-domain non-GET
request? Does the proposed protocol make it possible for the site hosting the
resource to correctly determine the answer to that question?
I think I have answered the accountability question in
http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0076.html
Additionally, I still think that this situation exists today. Anyone can
set up a CGI that accepts posts from any site. Who would such a CGI hold
accountable today? Sure, the CGI could be written such that it rejects
cross-site posts, but if it chooses not to, who would it hold accountable?
/ Jonas
