- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 09 Oct 2007 14:29:54 -0700
- To: Henri Sivonen <hsivonen@iki.fi>, "WAF WG (public)" <public-appformats@w3.org>
Henri Sivonen wrote: > > On Oct 9, 2007, at 15:22, Thomas Roessler wrote: > >> The POST might change the state of that resource. >> >> Why do we believe that it won't change the access-control policy >> associated with the resource? > > What would be associated with the URI in a way that bypasses HTTP > caching is knowledge about the capability of the server-side app to deal > with cross-domain POSTs. It would be radically abnormal for an app to > lose its capability to deal with cross-domain POSTs as the result of an > earlier POST. > > OTOH, having a time-to-live value for the cross-domain method > authorization makes sense, because services may otherwise change over time. What we could do is to add a header to the response of the GET, targeted specifically at access-control implementations, stating that the access-control implementation is allowed to store the result of the access-check for some specified amount of time. Alternatively we could just give up on caching this and either say that POST is going to be slow, or say that POST doesn't need an access check. I'm still reluctant to do the latter though. / Jonas
Received on Tuesday, 9 October 2007 21:31:21 UTC