I was trying to figure out why I was seeing POST requests converted to OPTIONS requests in Firefox and Safari when the XMLHTTPRequest was being sent to a "foreign" domain (i.e., a security violation)
I searched for "OPTIONS" and "POST" and "Firefox" and found this. So it looks like there's a way to configure a server to permit cross-domain access (like Flash's crossdomain.xml), to compliant browsers (which it appears Safari and Firefox are, dunno about Opera or IE). https://developer.mozilla.org/en/http_access_control Overview The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser. Firefox supports these headers and enforces the restrictions they establish. Additionally, for HTTP request methods that can cause side-effects on user data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request header, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests. Subsequent sections discuss scenarios, as well as a breakdown of the HTTP headers used. -- Henry Minsky Software Architect [email protected]
