Closed
Bug 1366390
Opened 7 years ago
Closed 7 years ago
OPTION response for CORS requests to REST should not allow X-Requested-With or Origin
Categories
(bugzilla.mozilla.org :: General, enhancement)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: dylan, Assigned: dylan)
References
Details
Attachments
(1 file)
In bug 1098342 we allowed X-Requested-With because a dashboard wasn't working. There is no reason for a third-party thing to set that header, which can otherwise be used to check for same-origin requests. Also, we allow 'origin'... which is not actually possible.
Assignee | ||
Comment 1•7 years ago
|
||
When using jquery, it seems to me that the absense of X-Requested-With is no longer a problem... the request goes through without sending that header. Any comments? Is the dashboard that prompted this still around?
Flags: needinfo?(l10n)
Comment 3•7 years ago
|
||
Dylan, do you have further information for me why you needinfo me? I have about a dozen tools that may or may not be the thing here, and I'm not showing up in bug 1098342
Flags: needinfo?(l10n)
Assignee | ||
Comment 4•7 years ago
•
|
||
I mean bug 1098291, my apologies for the confusion.
No longer blocks: 1098342
Comment 5•7 years ago
|
||
Flagging myself for needinfo, I need to dig a little deeper, as at least one of my dashboards is broken right now, so I need to figure out what's wrong with them first.
Flags: needinfo?(l10n)
Comment 6•7 years ago
|
||
Found the dashboard that had those queries, and devtools don't show that I'm sending X-Requested-With, so removing that from the allowed headers should be fine now.
Flags: needinfo?(l10n)
Comment 7•7 years ago
|
||
Comment on attachment 8869588 [details] [review] PR r=dkl
Attachment #8869588 -
Flags: review?(dkl) → review+
Assignee | ||
Comment 8•7 years ago
|
||
Unfortunately the fallout from this is likely to be greater, so instead I'll just leave it be.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•