W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: XMLHttpRequest. Support for "OPTIONS *" method.

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 05 Sep 2014 10:35:27 +0200
Message-ID: <540975CF.3010004@gmx.de>
To: Anne van Kesteren <annevk@annevk.nl>, Mark Nottingham <mnot@mnot.net>
CC: Валерий Котов <kotov.valery@gmail.com>, WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>
On 2014-09-05 10:03, Anne van Kesteren wrote:
> On Thu, Sep 4, 2014 at 11:09 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> Huh?
>>
>> OPTIONS * isn’t exactly common, but it’s very much OK by HTTP…
>
> Sure. It's not supported by XMLHttpRequest. If you pass "*" as URL
> argument, you'll get a request for "/baseURL/*". And since it's not
> supported by XMLHttpRequest, servers might not anticipate a browser to
> issue such a request and therefore be vulnerable in some way.
>
> We could definitely add a new step to
> http://xhr.spec.whatwg.org/#dom-xmlhttprequest-open between 5 and 6 to
> not parse the url parameter if it is "*" and normalized method is
> "OPTIONS".
> ...

That would be a hack; there may be legitimate reasons to do a request 
for "/baseURL/*".

IMHO "OPTIONS *" is an ugly thing in the first place; I'd prefer clients 
not to be extended to deal with that.

*If* you choose to do it, you'll need an approach other than overloading 
the requestURI.

Best regards, Julian
Received on Friday, 5 September 2014 08:36:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC