Problem when making AJAX DELETE request by sending JSON

Asked

Viewed 342 times

1

When making a request DELETE a url that does not support OPTIONS browser returns me:

405 Method Not Allowed

Is there any way to prevent, in my Javascript code, the browser to send a pre-request OPTIONS before sending a DELETE?

1 answer

2


No (*). When the browser is sending AJAX requests for a service, it will send all cookies related to the service domain. To protect the scenery where you navigate to http://site.malvado.com/, and the site sends a DELETE (or POST, or PUT) to http://seu.banco.com/contas, If the site uses a simple authentication mechanism based on the presence of a user cookie, then the site will delete your accounts. To prevent this type of attack, when a (modern) browser is sending requests to a domain other than the one on the page, it follows the cors protocol, that requires an OPTIONS request. If the server is aware of the possibility of these attacks (i.e., does not use a form of authentication that is vulnerable), then it will enable the CORS and will be able to respond to OPTIONS requests. If the service does not accept OPTIONS, then it is possible that it is not prepared to deal with the attacks of cross-Domain.

(*) However, there are situations where you want to go over this restriction. A few options:

  • use of a proxy in the same domain as your website: your page requests for a service in the application. Since the domain is the same as on the page, the CORS restriction does not exist. The browser will send cookies of your domain, and your server code (e.g., PHP, C#) can request the final service. Note that you will not have any of that domain’s cookies, which "saves" the attack service
  • use of some plug-in in the browser: depending on the implementation of the plug-in it may have access to all cookies, and in its implementation, it has no restriction of CORS. But this solution requires the user to install the plug-in on your machine, which greatly limits its use.
  • It doesn’t really accept OPTIONS. The interesting thing is that it doesn’t happen when I do POST. You could indicate me an extension(Chrome)?

  • I’m sorry, I don’t know any extensions. If the server supports POST, then it may be a version that is only configured to support GET and POST. If this is the case, and the server supports the X-HTTP-Method-Override, you can try using it to see if it works.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.