Closed Bug 1632045 Opened 3 years ago Closed 3 years ago

Content-Type and related headers not stripped for certain redirects when using XMLHttpRequest

Categories

(Core :: DOM: Networking, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla78
Tracking Status
firefox78 --- fixed

People

(Reporter: annevk, Assigned: CuveeHsu)

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file)

Bug 1530230 apparently only addressed this for the fetch API, rather than fetch in general.

https://github.com/web-platform-tests/wpt/pull/23164 has a couple very basic tests. It might be worth it to write more.

This might also be a problem for sendBeacon(), I haven't looked into it deeply.

Flags: needinfo?(juhsu)
Assignee: nobody → juhsu
Flags: needinfo?(juhsu)
Priority: -- → P2
Whiteboard: [necko-triaged]

We failed in:

XMLHttpRequest: send() - Redirect to CORS-enabled resource (303 FOO with string and explicit Content-Type safelisted)	
assert_equals: expected "NO" but got "application/x-pony"
XMLHttpRequest: send() - Redirect to CORS-enabled resource (301 POST with string and explicit Content-Type safelisted)
assert_equals: expected "NO" but got "application/x-pony"

XHR copies header in mAuthorRequestHeaders.ApplyToChannel in XMLHttpRequestMainThread::OnRedirectVerifyCallback

Note that I ended up creating a follow-up PR at https://github.com/web-platform-tests/wpt/pull/23176 which still has some outstanding feedback. There might be a couple more issues here.

Ideally XHR would reuse the fetch() infrastructure and not duplicate it.

https://github.com/web-platform-tests/wpt/pull/23176 fails on a different reason, I'd like to file another follow-up bug after this is landed.

As for dup, In the patch I still dup some of the code, we might end up using https://searchfox.org/mozilla-central/source/netwerk/protocol/http/HttpBaseChannel.cpp#3077 but we need to do additional parse.

Not sure how bug 1449613 goes, I rather not to think too much for small piece dup.

Pushed by juhsu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/76e237315011
strip Content-Type and related headers for POST->GET XHR, r=valentin
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.