Bjoern Hoehrmann schrieb: > ... > You should say Bob has write access to http://www.example.com/users/bob/ > I missed that at first and wondered what the point here might be. OK, how about: 1. Alice prepares an HTML page with embedded Javascript code that will submit a DELETE request against the URI http://www.example.com/users/bob/ (a resource she has not write access to, but Bob has). >> o Using user agents that follow Section 9.1.1 of [RFC2616], in that >> they do not allow unsafe methods to be executed without making the >> user aware of the consequences - unfortunately, none of today's >> browsers is doing that. > > I don't think this is the best way to put it, but I don't have much > better text at hand right now. Proposals welcome. I think it's worthwhile to mention that RCF2616 is very clear about the user agent never to invoke an unsafe method without the user's consent, a principle that very clearly isn't followed by today's browsers when they allow unsafe methods without any user confirmation. Best regards, JulianReceived on Sunday, 4 March 2007 19:56:09 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT