Closed
Bug 1503517
Opened 6 years ago
Closed 6 years ago
0x0C is not whitespace for X-Content-Type-Options
Categories
(Core :: DOM: Networking, defect, P2)
Core
DOM: Networking
Tracking
()
RESOLVED
FIXED
mozilla65
Tracking | Status | |
---|---|---|
firefox65 | --- | fixed |
People
(Reporter: annevk, Assigned: bagder)
References
Details
(Whiteboard: [necko-triaged] )
Attachments
(1 file)
See https://github.com/web-platform-tests/wpt/pull/13559 for tests and https://github.com/whatwg/fetch/pull/818 for the new parser definition.
Reporter | ||
Comment 1•6 years ago
|
||
(In general 0x0C shouldn't be considered whitespace when parsing HTTP header values. Not sure yet to what extent this problem is widespread.)
Comment 2•6 years ago
|
||
Dragana -- can you have a look and let me know what priority you think this is? Should we tackle this soon, or next quarter?
Flags: needinfo?(dd.mozilla)
Updated•6 years ago
|
Whiteboard: [necko-triaged]
Assignee | ||
Comment 3•6 years ago
|
||
Maybe just converting them to space before stripping them? diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index f0c86a3ab00e..8a86f1a1ebcd 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -1471,10 +1471,11 @@ ProcessXCTO(nsIURI* aURI, nsHttpResponseHead* aResponseHead, nsILoadInfo* aLoadI if (idx > 0) { contentTypeOptionsHeader = Substring(contentTypeOptionsHeader, 0, idx); } // b) let's trim all surrounding whitespace // e.g. " NoSniFF " -> "NoSniFF" + contentTypeOptionsHeader.ReplaceChar('\x0c', ' '); contentTypeOptionsHeader.StripWhitespace(); // c) let's compare the header (ignoring case) // e.g. "NoSniFF" -> "nosniff" // if it's not 'nosniff' then there is nothing to do here if (!contentTypeOptionsHeader.EqualsIgnoreCase("nosniff")) {
Assignee | ||
Comment 4•6 years ago
|
||
I chatted with :annevk on IRC and I had the logic turned the wrong way. StripWhitespace() strips too much. Here's a take instead uses TrimHTTPWhitespace(). I have not tested this, only verified that it builds! diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index 8877037af95a..7414c97435e7 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -1481,11 +1481,11 @@ ProcessXCTO(nsIURI* aURI, nsHttpResponseHead* aResponseHead, nsILoadInfo* aLoadI if (idx > 0) { contentTypeOptionsHeader = Substring(contentTypeOptionsHeader, 0, idx); } // b) let's trim all surrounding whitespace // e.g. " NoSniFF " -> "NoSniFF" - contentTypeOptionsHeader.StripWhitespace(); + nsHttp::TrimHTTPWhitespace(contentTypeOptionsHeader, contentTypeOptionsHeader); // c) let's compare the header (ignoring case) // e.g. "NoSniFF" -> "nosniff" // if it's not 'nosniff' then there is nothing to do here if (!contentTypeOptionsHeader.EqualsIgnoreCase("nosniff")) { // since we are getting here, the XCTO header was sent;
Comment 5•6 years ago
|
||
Sounds like we have a volunteer.
Assignee: nobody → daniel
Whiteboard: [necko-triaged] → [necko-triaged]
Updated•6 years ago
|
Priority: -- → P2
Assignee | ||
Comment 6•6 years ago
|
||
The nsCSstring's StripWhitespace() method is not very HTTP "friendly".
Pushed by daniel@haxx.se: https://hg.mozilla.org/integration/autoland/rev/c9f524cff7df do not strip 0x0c from X-Content-Type-Options header fields r=dragana
Comment 8•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c9f524cff7df
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Updated•6 years ago
|
Flags: needinfo?(dd.mozilla)
You need to log in
before you can comment on or make changes to this bug.
Description
•