Re: XMLHttpRequest. Support for "OPTIONS *" method.

On 5 Sep 2014, at 11:03 am, Anne van Kesteren <> wrote:

> On Thu, Sep 4, 2014 at 11:09 PM, Mark Nottingham <> wrote:
>> Huh?
>> OPTIONS * isn’t exactly common, but it’s very much OK by HTTP…
> Sure. It's not supported by XMLHttpRequest. If you pass "*" as URL
> argument, you'll get a request for "/baseURL/*". And since it's not
> supported by XMLHttpRequest, servers might not anticipate a browser to
> issue such a request and therefore be vulnerable in some way.

That would be foolish, since browsers don’t have an exclusive license to emit HTTP requests.

> We could definitely add a new step to
> between 5 and 6 to
> not parse the url parameter if it is "*" and normalized method is
> Added WebAppSec, perhaps they can offer some insight into whether this
> is feasible.

Sounds reasonable. I question whether the use cases justify the work, but that’s up to you…



Mark Nottingham

Received on Friday, 5 September 2014 08:07:18 UTC