1366390 - OPTION response for CORS requests to REST should not allow X-Requested-With or Origin

Status: RESOLVED INCOMPLETE

(bugzilla.mozilla.org :: General, enhancement)

Description

[Dylan Hardison [:dylan] (he/him)]

In bug 1098342 we allowed X-Requested-With because a dashboard wasn't working. There is no reason for a third-party thing to set that header,
which can otherwise be used to check for same-origin requests.

Also, we allow 'origin'... which is not actually possible.

Comment 1

[Dylan Hardison [:dylan] (he/him)]

When using jquery, it seems to me that the absense of X-Requested-With is no longer a problem... the request goes through without sending that header. Any comments? Is the dashboard that prompted this still around?

Comment 2

[Dylan Hardison [:dylan] (he/him)]

Attachment: PR

Trade you a review. ;)

Comment 3

[Axel Hecht [:Pike]]

Dylan, do you have further information for me why you needinfo me? I have about a dozen tools that may or may not be the thing here, and I'm not showing up in bug 1098342

Comment 4

[Dylan Hardison [:dylan] (he/him)]

I mean bug 1098291, my apologies for the confusion.

Comment 5

[Axel Hecht [:Pike]]

Flagging myself for needinfo, I need to dig a little deeper, as at least one of my dashboards is broken right now, so I need to figure out what's wrong with them first.

Comment 6

[Axel Hecht [:Pike]]

Found the dashboard that had those queries, and devtools don't show that I'm sending X-Requested-With, so removing that from the allowed headers should be fine now.

Comment 7

[David Lawrence [:dkl]]

Comment on attachment 8869588 [details] [review]
PR

r=dkl

Comment 8

[Dylan Hardison [:dylan] (he/him)]

Unfortunately the fallout from this is likely to be greater, so instead I'll just leave it be.