On 09/06/2009, at 4:26 AM, Tyler Close wrote:
Using reasoning similar to your argument in "Chattiness", making POST
a non-"simple" method will force web sites to tunnel everything over
GET, as they commonly do today. So, I suspect your understandable
desire to make CORS somewhat compatible with web-arch will have the
opposite effect on deployed applications. We should be thankful that
HTML saved cross-site GET and POST from the overhead of CORS. I am.
With GET and POST to many URLs, it's possible to get most of the
benefits of the Web. It'd be a shame to lose POST in the name of
better web-arch and be left with only GET.
... or it can just be fixed it so that it isn't so chatty, and
everyone wins.
Honestly, "we should be thankful"?
However, other contexts of use may not have this problem...
Hopefully CORS will not be reused outside the web-browser. For
example, server-side code should not be subject to any of the
restrictions enforced by CORS. Hopefully, other contexts will model
themselves on the server-side, where there's no user ambient authority
associated with network requests.
My understanding was that CORS is explicitly designed for other uses
as well.
--
Mark Nottingham http://www.mnot.net/
