Comment #10 on issue 20624 by [email protected]: Extension background page xhr.setRequestHeader will send HTTP OPTIONS verb http://code.google.com/p/chromium/issues/detail?id=20624
I'll try again later, but if that's the case, it's still a bug, for several reasons: First, if you don't have XHR access to a given domain, you shouldn't be able to send ANY queries to it. Seems to me that if the target server responds to OPTIONS, you might be able to steal cookies, etc. Even if it does nothing, you've still got a potential DOS and other nastiness. Second, this is NOT the right way to report this error -- you could get a success, if the HTTP server in question supports OPTIONS. Even if you get an error, the error you get will be something from the server -- in my case, it was "not implemented" -- which isn't at all the same thing as Chromium itself telling me that I'm not allowed to send the request. And finally, this was happening to me based on what headers were set. It actually worked when I stopped setting custom headers -- even if I deliberately set headers it recognized. So if it is a problem with the permissions list, that means I'm able to get around it by not setting headers -- a possible security flaw. So, I will go back and verify -- but at the time I reported this, I was trying everything, including setting "permissions" to let me access everything. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs
