So, this would work automagically if the server said it was ok? Or do we need to do something more on the client side to take advantage of this?
On 2010-09-19, at 09:27, Henry Minsky wrote: > I was trying to figure out why I was seeing POST requests converted to > OPTIONS requests in Firefox and Safari when > the XMLHTTPRequest was being sent to a "foreign" domain (i.e., a security > violation) > > I searched for "OPTIONS" and "POST" and "Firefox" and found this. So it > looks like there's a way to configure a server > to permit cross-domain access (like Flash's crossdomain.xml), to compliant > browsers (which it appears Safari and > Firefox are, dunno about Opera or IE). > > > https://developer.mozilla.org/en/http_access_control > > Overview > > The Cross-Origin Resource Sharing standard works by adding new HTTP headers > that allow servers to describe the set of origins that are permitted to read > that information using a web browser. Firefox supports these headers and > enforces the restrictions they establish. Additionally, for HTTP request > methods that can cause side-effects on user data (in particular, for > HTTP methods other than GET, or for POST usage with certain MIME types), the > specification mandates that browsers "preflight" the request, soliciting > supported methods from the server with an HTTP OPTIONS request header, and > then, upon "approval" from the server, sending the actual request with the > actual HTTP request method. Servers can also notify clients whether > "credentials" (including Cookies and HTTP Authentication data) should be > sent with requests. > > Subsequent sections discuss scenarios, as well as a breakdown of the HTTP > headers used. > > > -- > Henry Minsky > Software Architect > [email protected]
