- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 04 Mar 2007 20:56:02 +0100
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- CC: WebDAV WG <w3c-dist-auth@w3.org>
Bjoern Hoehrmann schrieb:
> ...
> You should say Bob has write access to http://www.example.com/users/bob/
> I missed that at first and wondered what the point here might be.
OK, how about:
1. Alice prepares an HTML page with embedded Javascript code that
will submit a DELETE request against the URI
http://www.example.com/users/bob/ (a resource she has not write
access to, but Bob has).
>> o Using user agents that follow Section 9.1.1 of [RFC2616], in that
>> they do not allow unsafe methods to be executed without making the
>> user aware of the consequences - unfortunately, none of today's
>> browsers is doing that.
>
> I don't think this is the best way to put it, but I don't have much
> better text at hand right now.
Proposals welcome. I think it's worthwhile to mention that RCF2616 is
very clear about the user agent never to invoke an unsafe method without
the user's consent, a principle that very clearly isn't followed by
today's browsers when they allow unsafe methods without any user
confirmation.
Best regards, Julian
Received on Sunday, 4 March 2007 19:56:09 UTC