Re: GET vs HEAD vs OPTIONS

public-appformats-request@w3.org wrote on 01/03/2008 02:29:48 PM:

>
> On Thu, 03 Jan 2008 19:13:13 +0100, Jon Ferraiolo <jferrai@us.ibm.com>
> wrote:
> > Over at OpenAjax Alliance, we have had some recent discussion about
> > Access Control and were wondering whether it was possible to use HEAD
or
> > OPTIONS
> > instead of GET in order to find out if the server allows cross-site
POST
> > (or DELETE). There have been comments that if the primary goal is to
> > determine if POST is allowed, then it is more consistent with HTTP
> > guidelines to issue a GET or OPTIONS rather than only supporting GET.
>
> Servers can't be easily made to respond to OPTIONS so therefore we use
> GET.

Yes, I remember that part of the email discussion. Therefore, you support
GET. By why not also support HEAD and OPTIONS? Why make everyone use the
(arguably) wrong approach to HTTP just because some existing server
technologies don't support all HTTP options conveniently at this particular
moment in time? We shouldn't confuse today's existing common practice with
future recommended best practice, and we shouldn't prevent adoption of best
practice techniques.

Jon

>GET also allows for taking the entity body into account in case of
> XML files. Given that we need GET I'm not sure what use it would be to
> allow OPTIONS in addition. There are after all (obvious) downsides to
such
> an approach such as the OPTIONS way giving a different response and some

> user agents following the OPTIONS route and some others the GET, etc.
> Seems messy.
>
>
> > BTW - It would be nice if the WAF WG home page had a link to the latest
> > editorial draft in addition to the latest public draft.
>
> The latest editor's draft can be found here:
> http://dev.w3.org/2006/waf/access-control/
>
> It seems that Art (thanks!) updated the home page today to include a
> pointer to that draft.
>
>
> --
> Anne van Kesteren
> <http://annevankesteren.nl/>
> <http://www.opera.com/>
>

Received on Thursday, 3 January 2008 22:53:24 UTC