Re: XMLHttpRequest. Support for "OPTIONS *" method.

2014-09-05 13:28 GMT+03:00 Julian Reschke <>:

> On 2014-09-04 20:32, Валерий Котов wrote:
>> Greetings everybody!
>> My name is Valery. I'm currently working on adding support for "OPTION"
>> http request method for XMLHttpRequest class inside Qt framework.
>> According to RFC ( request
>> uri can contian asterisk ("*"). Please see quotation from RFC below.
>> "If the Request-URI is an asterisk ("*"), the OPTIONS request is
>> intended to apply to the server in general rather than to a specific
>> resource."
>> Normally, to send http request the code should be like the following.
>> var req = new XMLHttpRequest();
>>"OPTIONS", url);
>> req.send(null);
>> I had a look at and
>> documents. Unfortunately, I can't
>> find any mention about sending "OPTIONS *" request by using
>> XMLHttpRequest class.
>> Could you please tell if it is possible to send "OPTIONS *" http request
>> by using XMLHttpRequest class? Could you please tell which syntax should
>> be used to send "OPTIONS *" http request?
>> Thank you for your support!
>> --
>> Sincerely yours,
>> Valery Kotov
Thank you everybody for responses!

> Out of curiosity - do you have a use case where you need to be able to
send "OPTIONS *"?
Unfortunately, I can't think of any specific use case except getting
general server settings. For example (from specification), OPTIONS request
can be used to test proxy for HTTP/1.1 conformance.

> This is the most up-to-date reference, btw:
Please see quotation from rfc7230 below:
If a proxy receives an OPTIONS request with an absolute-form of
request-target in which the URI has an empty path and no query component,
then the last proxy on the request chain MUST send a request-target of "*"
when it forwards the request to the indicated origin server.
For example, the request
would be forwarded by the final proxy as

Does this mean that OPTIONS the request
var req = new XMLHttpRequset();"OPTIONS", "");
Should be send as "OPTIONS *" request? Could I probably get something wrong?

> That is not supported. I suspect adding support for it might create a
> security vulnerability for servers as it is not something they
> anticipate a browser to do.
Unfortunately, I do not have enough experience in that area. But I'm really
curious to know it better. Could you please explain how "OPTIONS *" request
can lead to security vulnerability?

Just to make some conclusion. Is it true, that "OPTIONS *" request in not
supported by XMLHttpRequest class (and will not be supported in future)?

Thank you!

Sincerely yours,
Valery Kotov

Received on Friday, 5 September 2014 17:34:37 UTC