- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Mon, 12 Jun 2006 11:12:30 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Am 12.06.2006 um 10:47 schrieb Julian Reschke: > Stefan Eissing schrieb: >> ... >> What I mean is that XHR would have the following behavior: >> - Implement a "whitelist" of methods and uses which are known to >> be "safe" >> - For all methods outside of this, let XHR ask the server if it >> ok. For example, let XHR send an OPTION request and look for an >> XHR-Allow header, listing the methods allowed to XHR. (or >> whatever, the key is that the server is in control) >> Seems to me that this approach puts server application developers >> in the driver seat and lets browser developers stay safe by >> default, no matter what future http will bring. > > Can you give an example where a server that implements method X > would return it in the "Allow" header, but not in the "XHR-Allow" > header? Sure. A server allowing POST for ordering you a book, but not allowing it from XHR requests from pages coming from a different site. The last part is the key, of course. I am assuming that methods against the originating server of a page are always allowed and that we are talking about securing requests to other servers and methods used in them. Please correct me, if I got this wrong. //Stefan
Received on Monday, 12 June 2006 09:12:37 UTC