- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Sat, 6 Oct 2007 12:44:44 +0300
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Ian Hickson <ian@hixie.ch>, public-appformats@w3.org
On Oct 6, 2007, at 03:56, Jonas Sicking wrote: > Like Ian points out, there might very well be servers living inside > firewalls that support that method and don't do any other security > authentication other than relying on the firewall. OK. That makes sense. > Also note that the server can make the GET request be cached in the > browser which should make the overhead of a GET fairly low. Actually, the HTTP-level cacheability of GET doesn't work here. The POST request to the URI invalidates the cached GET response, so when you are doing the next POST, the GET response should no longer be in cache. (This is not currently true of Firefox, but that's a bug: https://bugzilla.mozilla.org/show_bug.cgi?id=327765 ) Therefore, with GET you'd need to maintain an access-control method authorization cache independently of the HTTP caching of the GET response. And at that point, you might as well maintain an access- control method authorization cache for information obtained via OPTIONS. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Saturday, 6 October 2007 09:45:18 UTC