- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Mon, 15 Oct 2007 19:23:33 +0200
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
* Anne van Kesteren wrote: >In case of https to http Referer would not be set so the server would not >know where the request originated. Third-party software sometimes also >blocks Referer for privacy reasons (data hidden in path). There's no >Method-Name header. The Method-Check header is purely informational. >Servers could refuse access to clients based on lack of either >Referer-Root or Method-Check though. OPTIONS responses can't easily be >configured by authors as I understand it. Then please remove the Method-Check header, it is not only unnecessary but also confusing (you give the false impression servers can meaning- fully respond differently depending on it and it complicate the proto- col, for example, it is unclear what to do with Vary: Method-Check). As for OPTIONS on specific resources, I am not sure what configuration might be necessary. With an ordinary CGI script on an Apache server, I can successfully issue a OPTIONS request without any configuration, and the response will include Allow and Access-Control headers just as I specify them in the script. What configurations did you have in mind? You didn't say why the processing instruction needs to be processed, could you elaborate on that? I don't understand your point about Referer-Root. What would I have to do with the Referer-Root header's value on the server to ensure that the access check completes successfully as intended? If servers never need to process it, then clients cannot be required to disclose this information. If there are cases where servers need to know, why can't they use some other method to get hold of the information, e.g. by configuring the server so that only http://provider.example/user/ can be accessed from http://user.example/? If they can do that, it seems the header should be removed aswell. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Monday, 15 October 2007 17:51:54 UTC