Closed Bug 582468 Opened 14 years ago Closed 2 years ago

HTTP_ACCEPT is not constant

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mozilla_bugs, Unassigned)

Details

User-Agent:       Opera/9.80 (X11; Linux i686; U; en) Presto/2.6.30 Version/10.60
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.6) Gecko/20100628 Ubuntu/10.04 (lucid) Firefox/3.6.6

When accessing an html document, my HTTP_ACCEPT is set to "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", however when accessing a JavaScript file that has been included in the <head> section of that same page, the HTTP_ACCEPT used when accessing the JS changes to *.*

Reproducible: Always

Steps to Reproduce:
1.On a PHP enabled server, create an HTML document with the following tag in the <head> section:
<script src="js.php" type="text/javascript"></script>

2.Create js.php with the following contents:
<?php echo 'alert("'.$_SERVER['HTTP_ACCEPT'].'");'; ?>

3.Go to js.php directly and notice that HTTP_ACCEPT is displayed correctly in the source code

4.Go to your HTML file and notice that *.* is alerted


Expected Results:  
HTTP_ACCEPT should not change depending on the mime-type or content-type, but should always remain constant.
Can you post an example webpage to test this?
Sure: http://www.adventure-inn.com/mozilla/http_accept.php

The source for http_accept.php is:

<?php echo "<?"; ?>xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
      <title>HTTP_ACCEPT test</title>
		<script src="http_accept_js.php" type="text/javascript"></script>
   </head>
   <body>
	<p>Your HTTP_ACCEPT for HTML files is: <?php echo $_SERVER['HTTP_ACCEPT']; ?></p>
   </body>
</html>


and http_accept_js.php is:

document.write ("<p>Your HTTP_ACCEPT for JS files is: <?php echo $_SERVER['HTTP_ACCEPT']; ?></p>");


Results:

In Opera 11.01:
Your HTTP_ACCEPT for JS files is: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Your HTTP_ACCEPT for HTML files is: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

In Firefox 3.6.14:
Your HTTP_ACCEPT for JS files is: */*
Your HTTP_ACCEPT for HTML files is: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

This generally is not a problem, however for an application I am developing, I decided to implement some session hijack detection and besides the general IP change detection, one of the things I tried verifying didn't change was the HTTP_ACCEPT, which worked well with Opera, but when testing in Firefox, it was constantly throwing errors since HTTP_ACCEPT was not constant.

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Content_negotiation/List_of_default_Accept_values all browser now use . fo script files so this can be closed.

All browsers use different values for different types of content at this point, including for images, stylesheets, videos, etc. - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Content_negotiation/List_of_default_Accept_values . This is expected.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Component: Preferences → Networking: HTTP
Product: Firefox → Core
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.