- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Tue, 19 Feb 2008 22:02:28 +0200
- To: Jon Ferraiolo <jferrai@us.ibm.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Feb 19, 2008, at 17:11, Jon Ferraiolo wrote: > If you are going to consider requiring a preflight request where the > server has to explicitly opt-in to custom headers before custom > headers will be sent, how about requiring a preflight request where > the server has to explicitly opt-in to cookies before cookies will > be sent? That would help address the accountability issue that has > been discussed recently. Why should anyone need to be held accountable for performing a GET that could already be triggered with e.g. <img src='...'>? If a request causes an action that needs blame, surely such an action wouldn't be safe and idempotent. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Tuesday, 19 February 2008 20:02:52 UTC