On 22.09.2010 21:26, Anne van Kesteren wrote:
On Wed, 22 Sep 2010 21:20:09 +0200, Jonas Sicking <jo...@sicking.cc> wrote:
On Wed, Sep 22, 2010 at 12:16 PM, Anne van Kesteren <ann...@opera.com>
wrote:
We don't want to keep updating the "safe" list. So they're all
"unsafe". Or
maybe not "unsafe", just not compatible with HTML forms.
What we're really concerned about here is the HTML/SVG/web/whathaveyou
same-origin security model that browsers implement and servers
generally rely on. This model only allows cross-origin requests that
use get/head/post-with-some-content-types. So that might be the term
to use here.
What term?
"simple methods" is by the way just an indication of whether they follow
the "simple cross-origin request" set of steps. "simple" has nothing to
do with "safe". They are distinct terms.
Again:
CORS, 6.1.5.:
"To protect resources against cross-origin access with methods that have
side effects an preflight request is made to ensure that the resource is
ok with the request."
This is misleading IMHO.
Best regards, Julian
