Am 12.06.2006 um 10:47 schrieb Julian Reschke: > Stefan Eissing schrieb: >> ... >> What I mean is that XHR would have the following behavior: >> - Implement a "whitelist" of methods and uses which are known to >> be "safe" >> - For all methods outside of this, let XHR ask the server if it >> ok. For example, let XHR send an OPTION request and look for an >> XHR-Allow header, listing the methods allowed to XHR. (or >> whatever, the key is that the server is in control) >> Seems to me that this approach puts server application developers >> in the driver seat and lets browser developers stay safe by >> default, no matter what future http will bring. > > Can you give an example where a server that implements method X > would return it in the "Allow" header, but not in the "XHR-Allow" > header? Sure. A server allowing POST for ordering you a book, but not allowing it from XHR requests from pages coming from a different site. The last part is the key, of course. I am assuming that methods against the originating server of a page are always allowed and that we are talking about securing requests to other servers and methods used in them. Please correct me, if I got this wrong. //StefanReceived on Monday, 12 June 2006 09:12:37 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 6 June 2008 08:04:29 GMT