[OpenAjaxSecurity] Revisions to W3C Access Control

Emmanouil Batsis (Manos) manos at abiss.gr
Wed Jan 2 09:55:53 PST 2008


Jon Ferraiolo wrote:
> Good question. I'm not sure, but I remember discussion on the WAF public 
> list where someone asked why they didn't use OPTIONS instead of GET and 
> the answer was that not many server technologies support HEAD. 


This must be a misunderstanding of sorts, I cant think of *one* HTTP 
server app with no HEAD support. Even if this applies to a small 
percentage, HEAD is the preferred method for the use case described 
IMHO. In case HEAD returns a 501 (Non Implemented) then I guess a 
"fallback" to GET would be appropriate.

Cheers,

Manos

-- 
Manos Batsis, Chief Technologist
          __    _
   ____ _/ /_  (_)_________ ____ ______
  / __ `/ __ \/ / ___/ ___// __ `/ ___/
/ /_/ / /_/ / (__  |__  )/ /_/ / /
\__,_/_.___/_/____/____(_)__, /_/
                         /____/

5, Daphnidos Street,
14122, Neo Iraklio,
Athens, Greece

Tel: +30 210 2851517
Mob: +30 694 8376942

http://dev.abiss.gr

"BSD code is free code to be used in software. GPL code is code to be 
used in free software." Kjella (173770), Slashdot


More information about the security mailing list