- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 15 Oct 2007 14:58:45 +0200
- To: "WAF WG (public)" <public-appformats@w3.org>
On Fri, 12 Oct 2007 13:49:43 +0200, Mark Nottingham <mnot@yahoo-inc.com> wrote: > Use a well-known location, like robots.txt, site maps, P3P and pretty > much every other site-wide metadata mechanism does things. > > Yes, it's ugly, yes it reserves part of URI space, and yes, it's not > terribly friendly to micro-sites. However, it is well-understood on all > sides, is widely deployed, scales well for complex interactions with > multiple resources, and is less likely to have surprises pop up. This requires domain-wide organization where the access-control proposal is more focused on individual resources being available or not. I outlined my current idea below. I'm not sure yet how ot properly integrate it in the specification, but I'm looking into that. For a non-GET access request you look up in the access method check cache whether you can make the desired non-GET to the URI. If the access method check cache doesn't have an entry for the given URI you make an access method check request to URI. An access method check request is a GET request that includes a Method-Check HTTP header that indicates the desired HTTP method. You do a match against the response Allow header method list and if there's a match (case-sensitive comparison as per HTTP) and the response also includes Access-Control / <?access-control?> stuff that allows access you do a subsequent request to the URI with the non-GET method. If the response to the access method check request also includes an Method-Check-Expires HTTP header that is valid and contians an HTTP-date later than now the user agent appends an entry to the access method check cache for the URI with an expiry date as indicated by the Method-Check-Expires header. This entry contains all the Access-Control / <?access-control?> / Allow / Method-Check-Expires information so requests with a different Referer-Root can also benefit from it. (The plan is to make the above story a bit more obvious once I've figured out how to organize the specification.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 15 October 2007 12:58:42 UTC