Re: Extension methods & XMLHttpRequest

Am 12.06.2006 um 10:47 schrieb Julian Reschke:

> Stefan Eissing schrieb:
>> ...
>> What I mean is that XHR would have the following behavior:
>> - Implement a "whitelist" of methods and uses which are known to  
>> be "safe"
>> - For all methods outside of this, let XHR ask the server if it  
>> ok. For example, let XHR send an OPTION request and look for an  
>> XHR-Allow header, listing the methods allowed to XHR. (or  
>> whatever, the key is that the server is in control)
>> Seems to me that this approach puts server application developers  
>> in the driver seat and lets browser developers stay safe by  
>> default, no matter what future http will bring.
>
> Can you give an example where a server that implements method X  
> would return it in the "Allow" header, but not in the "XHR-Allow"  
> header?

Sure. A server allowing POST for ordering you a book, but not  
allowing it from XHR requests from pages coming from a different site.

The last part is the key, of course. I am assuming that methods  
against the originating server of a page are always allowed and that  
we are talking about securing requests to other servers and methods  
used in them. Please correct me, if I got this wrong.

//Stefan

Received on Monday, 12 June 2006 09:12:37 UTC