- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 5 Sep 2014 11:06:48 +0300
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: ??????? ????? <kotov.valery@gmail.com>, WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>
On 5 Sep 2014, at 11:03 am, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Sep 4, 2014 at 11:09 PM, Mark Nottingham <mnot@mnot.net> wrote: >> Huh? >> >> OPTIONS * isn’t exactly common, but it’s very much OK by HTTP… > > Sure. It's not supported by XMLHttpRequest. If you pass "*" as URL > argument, you'll get a request for "/baseURL/*". And since it's not > supported by XMLHttpRequest, servers might not anticipate a browser to > issue such a request and therefore be vulnerable in some way. That would be foolish, since browsers don’t have an exclusive license to emit HTTP requests. > We could definitely add a new step to > http://xhr.spec.whatwg.org/#dom-xmlhttprequest-open between 5 and 6 to > not parse the url parameter if it is "*" and normalized method is > "OPTIONS". > > Added WebAppSec, perhaps they can offer some insight into whether this > is feasible. Sounds reasonable. I question whether the use cases justify the work, but that’s up to you… FWIW - https://www.mnot.net/blog/2012/10/29/NO_OPTIONS Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Friday, 5 September 2014 08:07:18 UTC