- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sun, 08 Jun 2008 23:41:17 -0700
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
Bjoern Hoehrmann wrote: > * Jonas Sicking wrote: >> Access-Control-Methods is worse as it would fairly often have to be used. > > When would you be able to omit it? Admins who are clueless about their > server setup when enabling cross site requests are unlikely to be clue- > ful in using the header, so having the header would only really help if > it has to be used always. Agreed. The one thing I could see doing would be to say that GET (and maybe even POST) would always be whitelisted so if those were the only actions you were using you wouldn't need the header. The theory is that those methods are very common today, and can be performed cross-site already, so it's unlikely that the server admin would not expect those. But I'd be happy to say that the header is always required. / Jonas
Received on Monday, 9 June 2008 06:42:36 UTC