OPTION response for CORS requests to REST should not allow X-Requested-With or Origin

RESOLVED INCOMPLETE

Status

()

RESOLVED INCOMPLETE
a year ago
a year ago

People

(Reporter: dylan, Assigned: dylan)

Tracking

Production

Details

Attachments

(1 attachment)

(Assignee)

Description

a year ago
In bug 1098342 we allowed X-Requested-With because a dashboard wasn't working. There is no reason for a third-party thing to set that header,
which can otherwise be used to check for same-origin requests.

Also, we allow 'origin'... which is not actually possible.
(Assignee)

Comment 1

a year ago
When using jquery, it seems to me that the absense of X-Requested-With is no longer a problem... the request goes through without sending that header. Any comments? Is the dashboard that prompted this still around?
Flags: needinfo?(l10n)
(Assignee)

Comment 2

a year ago
Created attachment 8869588 [details] [review]
PR

Trade you a review. ;)
Attachment #8869588 - Flags: review?(dkl)

Comment 3

a year ago
Dylan, do you have further information for me why you needinfo me? I have about a dozen tools that may or may not be the thing here, and I'm not showing up in bug 1098342
Flags: needinfo?(l10n)
(Assignee)

Comment 4

a year ago
I mean bug 1098291, my apologies for the confusion.
No longer blocks: 1098342

Comment 5

a year ago
Flagging myself for needinfo, I need to dig a little deeper, as at least one of my dashboards is broken right now, so I need to figure out what's wrong with them first.
Flags: needinfo?(l10n)

Comment 6

a year ago
Found the dashboard that had those queries, and devtools don't show that I'm sending X-Requested-With, so removing that from the allowed headers should be fine now.
Flags: needinfo?(l10n)
Comment on attachment 8869588 [details] [review]
PR

r=dkl
Attachment #8869588 - Flags: review?(dkl) → review+
(Assignee)

Comment 8

a year ago
Unfortunately the fallout from this is likely to be greater, so instead I'll just leave it be.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.