- From: Дилян Палаузов <dilyan.palauzov@aegee.org>
- Date: Mon, 25 Jun 2018 21:29:25 +0000
- To: ietf-http-wg@w3.org
Hello, https://tools.ietf.org/html/rfc7231#section-7.4.1 "Allow header" says: [ The "Allow" header field lists the set of methods advertised as supported by the target resource. The purpose of this field is strictly to inform the recipient of valid request methods associated with the resource. ] Because the text above does not say anything about authorizaion, one possible implementation of Allow is to return the same method list to all - authenticated and not authenticated - clients. What would be the use of a returned Allow: GET, HEAD, DELETE to a client, if the client is authenticated at the time the request is made and the server knows that with the provided authentication/authorization the client cannot perform DELETE? Regards Дилян
Received on Monday, 25 June 2018 21:31:01 UTC