Re: HTTPbis and the Same Origin Policy

On 2009/11/26 6:34, Tyler Close wrote:

> My impression is that the undefined consensus understanding of the
> Same Origin Policy incorporates the rule that no API (not just a
> specific API, such as HTML form) can allow a cross-origin PUT, unless
> the target resource has somehow opted out of SOP protection. This
> rule, and others like it, are the source of much of the complexity in
> CORS. These rules are not left to the application layer.

If I write something like a webbot, I can execute whatever PUT requests 
(or other HTTP requests) I want, or can't I? An API such as libcurl 
(http://curl.haxx.se/libcurl/) doesn't contain any such restrictions, or 
does it?

Regards,   Martin.

-- 
#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp

Received on Thursday, 26 November 2009 01:18:06 UTC