Bjoern Hoehrmann wrote:
* Jonas Sicking wrote:
Access-Control-Methods is worse as it would fairly often have to be used.
When would you be able to omit it? Admins who are clueless about their
server setup when enabling cross site requests are unlikely to be clue-
ful in using the header, so having the header would only really help if
it has to be used always.
Agreed. The one thing I could see doing would be to say that GET (and
maybe even POST) would always be whitelisted so if those were the only
actions you were using you wouldn't need the header.
The theory is that those methods are very common today, and can be
performed cross-site already, so it's unlikely that the server admin
would not expect those.
But I'd be happy to say that the header is always required.
/ Jonas
