Closed
Bug 1503517
Opened 7 years ago
Closed 7 years ago
0x0C is not whitespace for X-Content-Type-Options
Categories
(Core :: DOM: Networking, defect, P2)
Core
DOM: Networking
Tracking
()
RESOLVED
FIXED
mozilla65
| Tracking | Status | |
|---|---|---|
| firefox65 | --- | fixed |
People
(Reporter: annevk, Assigned: bagder)
References
Details
(Whiteboard: [necko-triaged] )
Attachments
(1 file)
See https://github.com/web-platform-tests/wpt/pull/13559 for tests and https://github.com/whatwg/fetch/pull/818 for the new parser definition.
|
Reporter | |
Comment 1•7 years ago
|
||
(In general 0x0C shouldn't be considered whitespace when parsing HTTP header values. Not sure yet to what extent this problem is widespread.)
|
||
Comment 2•7 years ago
|
||
Dragana -- can you have a look and let me know what priority you think this is? Should we tackle this soon, or next quarter?
Flags: needinfo?(dd.mozilla)
|
|
||
Updated•7 years ago
|
Whiteboard: [necko-triaged]
|
Assignee | |
Comment 3•7 years ago
|
||
Maybe just converting them to space before stripping them?
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index f0c86a3ab00e..8a86f1a1ebcd 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -1471,10 +1471,11 @@ ProcessXCTO(nsIURI* aURI, nsHttpResponseHead* aResponseHead, nsILoadInfo* aLoadI
if (idx > 0) {
contentTypeOptionsHeader = Substring(contentTypeOptionsHeader, 0, idx);
}
// b) let's trim all surrounding whitespace
// e.g. " NoSniFF " -> "NoSniFF"
+ contentTypeOptionsHeader.ReplaceChar('\x0c', ' ');
contentTypeOptionsHeader.StripWhitespace();
// c) let's compare the header (ignoring case)
// e.g. "NoSniFF" -> "nosniff"
// if it's not 'nosniff' then there is nothing to do here
if (!contentTypeOptionsHeader.EqualsIgnoreCase("nosniff")) {
|
|
Assignee | |
Comment 4•7 years ago
|
||
I chatted with :annevk on IRC and I had the logic turned the wrong way. StripWhitespace() strips too much. Here's a take instead uses TrimHTTPWhitespace(). I have not tested this, only verified that it builds!
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index 8877037af95a..7414c97435e7 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -1481,11 +1481,11 @@ ProcessXCTO(nsIURI* aURI, nsHttpResponseHead* aResponseHead, nsILoadInfo* aLoadI
if (idx > 0) {
contentTypeOptionsHeader = Substring(contentTypeOptionsHeader, 0, idx);
}
// b) let's trim all surrounding whitespace
// e.g. " NoSniFF " -> "NoSniFF"
- contentTypeOptionsHeader.StripWhitespace();
+ nsHttp::TrimHTTPWhitespace(contentTypeOptionsHeader, contentTypeOptionsHeader);
// c) let's compare the header (ignoring case)
// e.g. "NoSniFF" -> "nosniff"
// if it's not 'nosniff' then there is nothing to do here
if (!contentTypeOptionsHeader.EqualsIgnoreCase("nosniff")) {
// since we are getting here, the XCTO header was sent;
|
|
||
Comment 5•7 years ago
|
||
Sounds like we have a volunteer.
Assignee: nobody → daniel
Whiteboard: [necko-triaged] → [necko-triaged]
|
|
||
Updated•7 years ago
|
Priority: -- → P2
|
|
Assignee | |
Comment 6•7 years ago
|
||
The nsCSstring's StripWhitespace() method is not very HTTP "friendly".
Pushed by daniel@haxx.se:
https://hg.mozilla.org/integration/autoland/rev/c9f524cff7df
do not strip 0x0c from X-Content-Type-Options header fields r=dragana
|
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
|
||
Updated•7 years ago
|
Flags: needinfo?(dd.mozilla)
You need to log in
before you can comment on or make changes to this bug.
Description
•