On Wed, 23 Jan 2008 22:17:36 +0100, Mark Nottingham <[EMAIL PROTECTED]> wrote:
BTW, I understand the motivation for this now that OPTIONS is used, but you still have a clock sync problem.
Race conditions are already covered by the specification. Authors are advised to check to the Referer-Root header to prevent such issues from occuring.
Also, HTTP caches won't be able to exploit this. I'm thinking especially of HTTP accelerators (e.g., Akamai); OPTIONS traffic is going to create a lot of undesirable back-end communication for them, until they come up with a workaround. My main concern is that different intermediaries are going to come up with different strategies for caching OPTIONS results.
OPTIONS is part of the traffic that is non-static. I'm not sure how much you can optimize that by using HTTP accelerators. Again though, the idea is that the request reaches the server and that the server specifies an HTTP-date indicating how long the policy is valid.
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
