Firefox 3.5 and http access control – the nightmare

I updated Firefox to version 3.5 code-named Shiretoko. I then discovered that I had some problems with one of my WordPress installations. The problem was that I could not add a new category. I clicked the damn button over and over again and… nothing. It seemed that it didn’t even perform the request so I obviously went to my firebug to see if any request was made. And it was – an OPTIONS request. And that’s when the sad story began…

Some of you might not know or remember that http is more than GET and POST. Some of you might brag about HEAD, PUT or DELETE. But there’s also an OPTIONS method in the http protocol. And just to be prepared for future sad surprises like the one I just had you should also note TRACE and CONNECT. You might wonder who uses them but some day you might see that someone got an idea of putting them to hard work. So far dear old Mozilla has decided that we should remember the good old OPTIONS and got a very good idea of how to make it useful in Firefox 3.5

To continue my story I began my little research on the web trying to find out more about the OPTIONS request method and particularly about why and how Firefox has decided to make use of it in 3.5. I soon discovered one of the great new features in Firefox 3.5: http access control. If you read the document describing it you will basically find that they use some headers in conjunction with the OPTIONS method in order to provide some kind of cross-site http access control. Apparently this functionality is already standardized (not just a Mozilla innovation).

Standardized as it is it prevented my WordPress installation from working. The trouble is that Shiretoko sends an OPTIONS request together with Origin, Access-Control-Request-Method and Access-Control-Request-Headers headers. This is what they call a “preflighted request”. It expects in return the following headers: Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers. None of these is ever sent in my lighttpd’s response. Lighttpd just sends a 200 response with some common headers and he’s happy thinking that everything should be alright since it is a 200 after all. Well, Mozilla decided that it wasn’t.

What’s even more interesting is how I got Firefox to make such a request. This “improvement” was for cross-site requests, remember? Why in the world would adding a category in wordpress be a cross-site request? Simply because I redirect my wordpress login page to https while I keep the “official” site url to be http. So every page that has a relative path should go through https after the login while other pages apparently have absolute paths with the configured url – which is http. The difference in protocol means for Shiretoko that this is a cross-site request even if it is the same domain (no subdomain used in any of the requests). This seams a little bit excessive to me; it seems more like a bug than a feature.

After I found the mystery behind all this I started wondering. I wonder if Apache would respond well to these requests. I didn’t have time to try and frankly I don’t really want to. I was very happy with lighttpd – it gives me the lite-ness that I desperately need. I wonder if they got rid of the absolute paths in a newer version of WordPress although I doubt it. I also wonder if we really need these new “features”.

This story reminded me of the days when Internet Explorer was making the law: they came with any crazy idea they had overnight and put it in their browser. Then some MS fans quickly picked up the “feature” and used it in their website just because it was “the latest news” or “trendy” or just for some fluffy eye-candy-ness. The result was that the (very) few users that didn’t want to use Internet Explorer just couldn’t see that particular website properly. It seems to be a similar story here: we try to enable people with more functionality but in fact we disable what we already have. Standardized as it is it just doesn’t seem right. It’s true that I don’t have the latest WordPress and it’s true that I don’t have the latest lighttpd but they are both the latest versions from the latest stable branch of Debian. I don’t see why people with the latest version of Firefox shouldn’t be able to properly use my website. Debian is a very common distribution, wordpress is also very common package and lighttpd is pretty common as well. Firefox used to be common too but it just started to feel too “elite” for me. Perhaps I should go back to the good old Opera – it has never let me down.

Slashdot     Delicious  

Leave a Reply

You must be logged in to post a comment.