W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: XMLHttpRequest. Support for "OPTIONS *" method.

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 5 Sep 2014 11:06:48 +0300
Cc: (wrong string) Валерий Котов <kotov.valery@gmail.com>, WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <8C16FD85-3143-47D3-9809-B18EA827B0DB@mnot.net>
To: Anne van Kesteren <annevk@annevk.nl>

On 5 Sep 2014, at 11:03 am, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Sep 4, 2014 at 11:09 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> Huh?
>> 
>> OPTIONS * isnt exactly common, but its very much OK by HTTP
> 
> Sure. It's not supported by XMLHttpRequest. If you pass "*" as URL
> argument, you'll get a request for "/baseURL/*". And since it's not
> supported by XMLHttpRequest, servers might not anticipate a browser to
> issue such a request and therefore be vulnerable in some way.

That would be foolish, since browsers dont have an exclusive license to emit HTTP requests.


> We could definitely add a new step to
> http://xhr.spec.whatwg.org/#dom-xmlhttprequest-open between 5 and 6 to
> not parse the url parameter if it is "*" and normalized method is
> "OPTIONS".
> 
> Added WebAppSec, perhaps they can offer some insight into whether this
> is feasible.

Sounds reasonable. I question whether the use cases justify the work, but thats up to you

FWIW - https://www.mnot.net/blog/2012/10/29/NO_OPTIONS

Cheers,

--
Mark Nottingham   http://www.mnot.net/
Received on Friday, 5 September 2014 08:07:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC