Closed
Bug 1608391
Opened 6 years ago
Closed 3 years ago
Origin header is not sent from file protocol for POST requests
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1605305
People
(Reporter: jakub.g.opensource, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Steps to reproduce:
- Save the following on disk as .html file and open in browser via
fileprotocol.
<form method=post action=https://www.example.com>
<input type=submit>
</form>
- Open devtools. Click the submit button.
Actual results:
The request is sent without Origin header.
Expected results:
AFAIU the spec (https://fetch.spec.whatwg.org/#origin-header), request should have had Origin: null (this is the case when I test with Chrome).
(For context, the feature of sending Origin header was activated in Firefox 70 via bug 1424076)
Updated•6 years ago
|
Component: Security → DOM: Security
Product: Firefox → Core
Comment 2•6 years ago
|
||
This may affect more than file:// (needs investigation). I doubt we have any special-case for file: in the Origin header, more likely we get this wrong in other cases where we should send Origin: null (extension pages? data: url frames? sandboxed frames?)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Updated•6 years ago
|
Severity: normal → S3
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•