views:

73

answers:

1

Hi,

For some reason whenever I do an async request using YUI and specify it to be a GET or POST, and the request is HTTPS, the actual request comes through with the OPTIONS request method.

help! why is it doing this?

P.S. I tried this with Prototype and got the same deal.

+3  A: 

I'm assuming the request is being made from the a non secure (http) page. (Or if it is from a secure page, then the domains are probably different.)

The request to your secure (https) resource is considered cross origin. For the GET/POST to be successful the origin and the target fully qualified domain names, must be exactly the same to comply with same origin security policies.

The OPTIONS request is essentially the HTTP handshake, or preflight that occurs between the client and the target resource to establish whether or not the client has permission to access the target resource from the origin.

Modern web browsers such as Safari and Firefox have implementations of the W3C Cross Origin Resource Sharing draft policy, so you will see the OPTIONS preflight communication when it fails - probably with some sort of security or network related JavaScript error. If the OPTIONS preflight is successful, the original GET/POST can occur.

I recommend reading up on:

Dean Burge
Thanks Dean! Really helpful.
stevebot