On 2014-09-05 10:03, Anne van Kesteren wrote: > On Thu, Sep 4, 2014 at 11:09 PM, Mark Nottingham <mnot@mnot.net> wrote: >> Huh? >> >> OPTIONS * isn’t exactly common, but it’s very much OK by HTTP… > > Sure. It's not supported by XMLHttpRequest. If you pass "*" as URL > argument, you'll get a request for "/baseURL/*". And since it's not > supported by XMLHttpRequest, servers might not anticipate a browser to > issue such a request and therefore be vulnerable in some way. > > We could definitely add a new step to > http://xhr.spec.whatwg.org/#dom-xmlhttprequest-open between 5 and 6 to > not parse the url parameter if it is "*" and normalized method is > "OPTIONS". > ... That would be a hack; there may be legitimate reasons to do a request for "/baseURL/*". IMHO "OPTIONS *" is an ugly thing in the first place; I'd prefer clients not to be extended to deal with that. *If* you choose to do it, you'll need an approach other than overloading the requestURI. Best regards, JulianReceived on Friday, 5 September 2014 08:36:09 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC