Re: XMLHttpRequest. Support for "OPTIONS *" method.

On Thu, Sep 4, 2014 at 11:09 PM, Mark Nottingham <mnot@mnot.net> wrote:
> Huh?
>
> OPTIONS * isn’t exactly common, but it’s very much OK by HTTP…

Sure. It's not supported by XMLHttpRequest. If you pass "*" as URL
argument, you'll get a request for "/baseURL/*". And since it's not
supported by XMLHttpRequest, servers might not anticipate a browser to
issue such a request and therefore be vulnerable in some way.

We could definitely add a new step to
http://xhr.spec.whatwg.org/#dom-xmlhttprequest-open between 5 and 6 to
not parse the url parameter if it is "*" and normalized method is
"OPTIONS".

Added WebAppSec, perhaps they can offer some insight into whether this
is feasible.


-- 
http://annevankesteren.nl/

Received on Friday, 5 September 2014 08:04:14 UTC