When doing a cross-site non-GET XMLHttpRequest request use an If-Method-Allowed request header as per http://dev.w3.org/2006/waf/access-control/Overview.html to tell the server what type of request you want to perform.

The method has been renamed as Hixie pointed out that If-Method-Allowed had different semantics from other If-* headers. http://dev.w3.org/2006/waf/access-control/#access1 has details.

Surya, could you have a look at this too? Shouldn't be very different from the fix to bug 397878.

This should have been fixed in bug 411530.

I have some questions: 1) Current implementation requires an Allow: METHOD header. Is that still the case with the method list? 2) How would a PI with a method list look? <?access-control allow="http://example.org method POST"?> ? 3) Requesting method doesn't seem to be checked against the method list. Do a cross-site XHR with method POST. Say the response header has Access-Control: allow <http://localhost:8888> method PUT Request fails, but seems to fail for parsing reasons, not because of the method list. 3) Redirection doesn't seem to be supported.

If the tests look reasonable, I'll try to implement the behaviour.

I suggest taking a look at the CGI-like functionality being provided in bug 401649 (to be landed when I have time and when the tree's open, likely within the next couple days, so don't worry about it not being in the tree yet). Positive functionality tests are good, but if XXX is to be secure the negative functionality guarantees are what matter. There's currently no easy way to statefully process requests (without storing temporary files on the file system), so if you need that ability let me know and I'll come up with some reasonable API for it. You may be able to get quite a ways without it, tho, just by inspecting header values and the request method; I don't know for sure.

In reply to comment 4: 1) The Allow HTTP header is no longer used. 2) A PI with method="" is not part of Access Control as the OPTIONS method is used to check the policy and therefore the response entity body is not checked at all. (It may be that Firefox is not yet updated and still uses GET which would be problematic.) 3) Sounds like a bug. 3b) Jonas told me redirection was not supported for this release of Firefox. If it can be enabled that would be cool!

In reply to comment 7: 2) Ok, that makes sense. But in 5.2.1 of the spec, it says: "An unordered, initially empty, PI access control allow list, of which each list item contains a match list, an exclude list, and a method list." What does method list mean here?

Ah, I will remove that later today. For a short while we used GET and <?access-control?> had a method="" pseudo-attribute. That's removed almost everywhere except there it seems. Thanks!

Note that there is a proposal to remove the Method-Check header along with the list of methods in the Access-Control header. So we shouldn't do any work on that for now.

I tried making all the changes suggested on the mailing list with regards to the protocol. This means that several headers (including Referer-Root) are renamed, deny clauses are gone, and list of methods is gone. Reopening this bug so it's being kept track of somehow.

Please file new bugs instead. Otherwise this bug will just be confusing.