On Thu, 03 Jan 2008 19:13:13 +0100, Jon Ferraiolo <>  
> Over at OpenAjax Alliance, we have had some recent discussion about  
> Access Control and were wondering whether it was possible to use HEAD or  
> instead of GET in order to find out if the server allows cross-site POST
> (or DELETE). There have been comments that if the primary goal is to
> determine if POST is allowed, then it is more consistent with HTTP
> guidelines to issue a GET or OPTIONS rather than only supporting GET.

Servers can't be easily made to respond to OPTIONS so therefore we use  
GET. GET also allows for taking the entity body into account in case of  
XML files. Given that we need GET I'm not sure what use it would be to  
allow OPTIONS in addition. There are after all (obvious) downsides to such  
an approach such as the OPTIONS way giving a different response and some  
user agents following the OPTIONS route and some others the GET, etc.  
Seems messy.

> BTW - It would be nice if the WAF WG home page had a link to the latest
> editorial draft in addition to the latest public draft.

The latest editor's draft can be found here:

It seems that Art (thanks!) updated the home page today to include a  
pointer to that draft.

Anne van Kesteren

Received on Thursday, 3 January 2008 22:27:41 UTC