Here's a suggestion: The solution should not introduce additional attack vectors against services that are protected only by way of firewalls. This requirement ddresses "intranet" style services authorize any requests that can be sent to the service. Note that this requirement does not preclude HEAD, OPTIONS, or GET requests (even with ambient authentication and session information). I would suggest to refrain from any further discussion of what is or is not possible. -- Thomas Roessler, W3C <tlr@w3.org>Received on Wednesday, 30 January 2008 21:40:26 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2008 21:40:26 GMT