- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 30 May 2008 20:34:27 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>, "Maciej Stachowiak" <mjs@apple.com>
On Fri, 30 May 2008 20:08:24 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > However IMHO it makes more sense as an extra level of security. To deal > with servers supporting actions that the server administrator is unaware > of or wasn't thinking of when enabling Access-Control. Ok. It's not really clear to me whether this extra level is needed or desired, as it further complicates the original proposal. With all the other proposals you're making it overall becomes much more complex and harder for authors to grasp what they have to do to get it right. I'd be interested in hearing feedback from Maciej / Apple / WebKit on this proposal. > Further, the way we controlled methods before was much more complex than > my proposal. Different sites could have different allowed methods. We > had to issue new prefligh requests every time a new method was used. The > syntax allowed for DELETE being listed as an allowed method when we > checked for POST, but then DELETE wouldn't actually be allowed when we > checked for DELETE, etc. > > The new proposal is much simpler. Both syntax wise for the server > administrator, and for the implementation. If I understand correctly what you're suggesting it would indeed be simpler, yes. (Though there's also added complexity, as we didn't have a policy for HTTP headers.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Friday, 30 May 2008 18:35:15 UTC