- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 22 Sep 2010 21:31:09 +0200
- To: Anne van Kesteren <annevk@opera.com>
- CC: Jonas Sicking <jonas@sicking.cc>, Webapps WG <public-webapps@w3.org>
On 22.09.2010 21:26, Anne van Kesteren wrote: > On Wed, 22 Sep 2010 21:20:09 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> On Wed, Sep 22, 2010 at 12:16 PM, Anne van Kesteren <annevk@opera.com> >> wrote: >>> We don't want to keep updating the "safe" list. So they're all >>> "unsafe". Or >>> maybe not "unsafe", just not compatible with HTML forms. >> >> What we're really concerned about here is the HTML/SVG/web/whathaveyou >> same-origin security model that browsers implement and servers >> generally rely on. This model only allows cross-origin requests that >> use get/head/post-with-some-content-types. So that might be the term >> to use here. > > What term? > > "simple methods" is by the way just an indication of whether they follow > the "simple cross-origin request" set of steps. "simple" has nothing to > do with "safe". They are distinct terms. Again: CORS, 6.1.5.: "To protect resources against cross-origin access with methods that have side effects an preflight request is made to ensure that the resource is ok with the request." This is misleading IMHO. Best regards, Julian
Received on Wednesday, 22 September 2010 20:31:51 UTC