Firefox 3.1 implements the W3C Access Control specification. As a result, Firefox 3.1 sends specific HTTP headers for cross-site requests initiated from within
Simple Cross-Site Requests
Simple Access Control Requests are initiated when:
- An HTTP/1.1
POSTis used as request method. In the case of a POST, the Content-Type of the request body is one of
- No custom headers are sent with the HTTP Request (such as
In this case, responses can be sent back based on some considerations.
- If the resource in question is meant to be widely accessed (just like any HTTP resource accessed by GET), than sending back the
Access-Control-Origin: *header will be sufficient, unless the resource needs credentials such as Cookies and HTTP Authentication information.
- If the resource should be kept restricted based on requester domain, OR if the resource needs to be accessed with credentials (or sets credentials), then filtering by the request's
ORIGINheader may be necessary, or at least echoing back the requester's
Access-Control-Origin: http://arunranga.com). Additionally, the
Access-Control-Allow-Credentials: trueheader will have to be sent. This is discussed in a subsequent section.
The section on Simple Access Control Requests shows you the header exchanges between client and server. Here is a PHP code segment that handles a Simple Request: