Re: XMLHttpRequest. Support for "OPTIONS *" method. from Валерий Котов on 2014-09-05 (public-webapps@w3.org from July to September 2014)

From: Валерий Котов <kotov.valery@gmail.com>
Date: Fri, 5 Sep 2014 20:34:09 +0300
To: Julian Reschke <julian.reschke@gmx.de>
Cc: public-webapps@w3.org, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAK_k1uwfmHzCzBKFZkgkpJrFP8fRMbx4-uwtTYzKv7g-S11xAA@mail.gmail.com>

2014-09-05 13:28 GMT+03:00 Julian Reschke <julian.reschke@gmx.de>:

> On 2014-09-04 20:32, Валерий Котов wrote:
>
>> Greetings everybody!
>>
>> My name is Valery. I'm currently working on adding support for "OPTION"
>> http request method for XMLHttpRequest class inside Qt framework.
>> According to RFC (http://tools.ietf.org/html/rfc2616#page-52) request
>> uri can contian asterisk ("*"). Please see quotation from RFC below.
>> "If the Request-URI is an asterisk ("*"), the OPTIONS request is
>> intended to apply to the server in general rather than to a specific
>> resource."
>>
>> Normally, to send http request the code should be like the following.
>> var req = new XMLHttpRequest();
>> req.open("OPTIONS", url);
>> req.send(null);
>>
>> I had a look at http://xhr.spec.whatwg.org/ and
>> http://www.w3.org/TR/XMLHttpRequest/ documents. Unfortunately, I can't
>> find any mention about sending "OPTIONS *" request by using
>> XMLHttpRequest class.
>>
>> Could you please tell if it is possible to send "OPTIONS *" http request
>> by using XMLHttpRequest class? Could you please tell which syntax should
>> be used to send "OPTIONS *" http request?
>>
>> Thank you for your support!
>> --
>>
>> Sincerely yours,
>> Valery Kotov
>
>
Thank you everybody for responses!

> Out of curiosity - do you have a use case where you need to be able to
send "OPTIONS *"?
Unfortunately, I can't think of any specific use case except getting
general server settings. For example (from specification), OPTIONS request
can be used to test proxy for HTTP/1.1 conformance.

> This is the most up-to-date reference, btw:
> http://httpwg.github.io/specs/rfc7230.html#asterisk-form
Please see quotation from rfc7230 below:
If a proxy receives an OPTIONS request with an absolute-form of
request-target in which the URI has an empty path and no query component,
then the last proxy on the request chain MUST send a request-target of "*"
when it forwards the request to the indicated origin server.
For example, the request
OPTIONS http://www.example.org:8001 HTTP/1.1
would be forwarded by the final proxy as
OPTIONS * HTTP/1.1
Host: www.example.org:8001

Does this mean that OPTIONS the request
var req = new XMLHttpRequset();
req.open("OPTIONS", "http://www.example.org:8001");
Should be send as "OPTIONS *" request? Could I probably get something wrong?

> That is not supported. I suspect adding support for it might create a
> security vulnerability for servers as it is not something they
> anticipate a browser to do.
Unfortunately, I do not have enough experience in that area. But I'm really
curious to know it better. Could you please explain how "OPTIONS *" request
can lead to security vulnerability?

Just to make some conclusion. Is it true, that "OPTIONS *" request in not
supported by XMLHttpRequest class (and will not be supported in future)?

Thank you!
-- 

Sincerely yours,
Valery Kotov

Received on Friday, 5 September 2014 17:34:37 UTC