Re: HTTPbis and the Same Origin Policy from Martin J. Dürst on 2009-11-26 (ietf-http-wg@w3.org from October to December 2009)

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Thu, 26 Nov 2009 10:17:04 +0900
To: Tyler Close <tyler.close@gmail.com>
CC: Adam Barth <w3c@adambarth.com>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4B0DD710.6070301@it.aoyama.ac.jp>

On 2009/11/26 6:34, Tyler Close wrote:

> My impression is that the undefined consensus understanding of the
> Same Origin Policy incorporates the rule that no API (not just a
> specific API, such as HTML form) can allow a cross-origin PUT, unless
> the target resource has somehow opted out of SOP protection. This
> rule, and others like it, are the source of much of the complexity in
> CORS. These rules are not left to the application layer.

If I write something like a webbot, I can execute whatever PUT requests 
(or other HTTP requests) I want, or can't I? An API such as libcurl 
(http://curl.haxx.se/libcurl/) doesn't contain any such restrictions, or 
does it?

Regards,   Martin.

-- 
#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp

Received on Thursday, 26 November 2009 01:18:06 UTC