- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 5 Sep 2014 10:03:46 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Валерий Котов <kotov.valery@gmail.com>, WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>
On Thu, Sep 4, 2014 at 11:09 PM, Mark Nottingham <mnot@mnot.net> wrote: > Huh? > > OPTIONS * isn’t exactly common, but it’s very much OK by HTTP… Sure. It's not supported by XMLHttpRequest. If you pass "*" as URL argument, you'll get a request for "/baseURL/*". And since it's not supported by XMLHttpRequest, servers might not anticipate a browser to issue such a request and therefore be vulnerable in some way. We could definitely add a new step to http://xhr.spec.whatwg.org/#dom-xmlhttprequest-open between 5 and 6 to not parse the url parameter if it is "*" and normalized method is "OPTIONS". Added WebAppSec, perhaps they can offer some insight into whether this is feasible. -- http://annevankesteren.nl/
Received on Friday, 5 September 2014 08:04:14 UTC