Am 12.06.2006 um 11:42 schrieb Anne van Kesteren: > > On Mon, 12 Jun 2006 11:12:30 +0200, Stefan Eissing > <stefan.eissing@greenbytes.de> wrote: >> The last part is the key, of course. I am assuming that methods >> against the originating server of a page are always allowed and >> that we are talking about securing requests to other servers and >> methods used in them. Please correct me, if I got this wrong. > > You got this wrong. The discussion here is about (the first version > of) XMLHttpRequest which will only allow same-origin requests. Thanks for the correction. Well, in that case I agree with Roys comment that instead of restricting methods it is superior to restrict the (manipulation of) information send to the server. So, basically a whitelist of settable/sent headers with some name prefix ("x-"?) left open for individual applications/experimentation. //StefanReceived on Monday, 12 June 2006 10:12:39 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:24 GMT