- From: Thomas Roessler <tlr@w3.org>
- Date: Mon, 5 Nov 2007 09:47:34 -0500
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
On 2007-11-05 00:25:39 -0800, Jonas Sicking wrote: > What I'm not thrilled about in the current spec, and I think > Thomas touched on this in this thread, is that we're mixing > server-side and client-side authentication when performing > non-GET authorization. > On one had we're sending both the requesting domain (in > Referer-Root) and the requested method (in Method-Check?) to the > server. This is enough data for the server to simply send back a > yes/no reply. > But then we're letting the server send back both a set of allowed > domains (in Access-Control/<?access-control?>) and a set of > allowed methods (in Allow). This data too would be enough on its > own to make a yes/no decision about if to authorize the non-GET > request. > Why do we solve the problem twice? +100 to that point. We should be clear the processing model is (and pick one!), and we should also be clear what use case the language addresses. Is this a language for users to inform their web servers, or is this a language for servers to inform user agents? -- Thomas Roessler, W3C <tlr@w3.org>
Received on Monday, 5 November 2007 14:47:43 UTC