On Fri, 04 Jan 2008 21:12:20 +0100, Bertrand Le Roy  
<> wrote:
>> Given that servers opt-in to all of this and sites are
>> unlikely to just make random cross-site requests it is unlikely you get  
>> a very large response.
> That's not true. Opting in doesn't change anything. The size of the  
> resource is not made smaller because the author opts in. Are you saying  
> that cross-domain requests should not be made on large resources?

What we're discussing here is the response to an authorization request.  
That response basically only needs to say that the server agrees with the  
non-GET request. It's likely that authors don't put a whole lot of content  
in that response as it would not make sense. And even if they did the user  
agent could in theory close the connection after it received the <root>  
element start tag in case of an XML response. (In case of other responses  
the entity body is not significant.)

What I think is unlikely that authors will make requests to arbitrary  
domains of which they do not know whether the other site agrees with the  
request in production sites. Therefore I think it's not likely you will  
encounter this as a problem.

Anne van Kesteren

Received on Friday, 4 January 2008 21:57:03 UTC