Thursday, December 3, 2009

Cross-Origin Resource Sharing (CORS) aka valid Cross-Site Scripting (XSS)

Ever tried to create a web application that could feasibly work from any other website (or even the desktop) without the client having to set up anything - a sort of pluggable widget? Ugh...

I'd like to have a nice large table for the various scenarios and browsers, but until then I'll just make my notes here.

AJAX Cross Site

GET allows only application/json, application/javascript, text/javascript
GET may have a body (thus emulating an AJAX post), except in IE
POST is forbidden
HEADERS forbid X-HTTP-Method-Override
CORS is supported by all modern browsers except Opera

HTML Cross Site

GET allows application/json, application/javascript, text/javascript
GET forbids text/plain

POST allows application/json, application/x-www-form-urlencoded, multipart/form-data
POST forbids none


Everything should be supported
HEADERS allow X-HTTP-Method-Override


Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home