Last Comment Bug 602482 - Update XHR forbidden headers to latest spec
: Update XHR forbidden headers to latest spec
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
: -- normal with 1 vote (vote)
: mozilla2.0b8
Assigned To: Kyle Huey [:khuey] (khuey@mozilla.com)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-07 06:25 PDT by m.cova
Modified: 2013-04-04 13:53 PDT (History)
4 users (show)
khuey: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
betaN+
needed
.13-fixed
needed
.16-fixed


Attachments
Update XHR forbidden headers to latest spec. (2.30 KB, patch)
2010-11-14 13:45 PST, Kyle Huey [:khuey] (khuey@mozilla.com)
jonas: review+
dveditz: approval1.9.2.13+
dveditz: approval1.9.1.16+
Details | Diff | Splinter Review

Description m.cova 2010-10-07 06:25:05 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

XMLHttpRequest allows dangerous request headers (such as Origin and Access-Control-Request-Method) to be set. This could be used to subvert security checks, under certain conditions.

Other browsers behavior (tested the setting of the Origin header, all on Mac OS X):
- Safari 5.0.2 disallows setting the Origin header
- Chrome 6.0.472.63 disallows setting the Origin header
Relevant WebKit's changeset: http://trac.webkit.org/changeset/41547

Spec reference:
The XMLHttpRequest level 2 specification extends the list of forbidden headers to include, among others, Origin, Access-Control-Request-Headers, Access-Control-Request-Method.

It seems sensible to extend the list of forbidden headers in content/base/src/nsXMLHttpRequest.cpp:SetRequestHeader to match the list provided by the XMLHttpRequest level 2 specification.




Reproducible: Always
Comment 2 Boris Zbarsky [:bz] 2010-11-07 14:03:01 PST
Jonas, seems like we should fix this for 2.0.
Comment 3 Jonas Sicking (:sicking) PTO Until July 5th 2010-11-08 01:18:05 PST
Yup, we need to update this list to spec again.
Comment 4 Kyle Huey [:khuey] (khuey@mozilla.com) 2010-11-14 13:45:40 PST
Created attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.
Comment 5 Kyle Huey [:khuey] (khuey@mozilla.com) 2010-11-14 13:46:17 PST
Comment on attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.

I renamed the test too, because I like tests that have descriptive names.
Comment 6 Kyle Huey [:khuey] (khuey@mozilla.com) 2010-11-14 13:47:15 PST
We probably want to take this on stable branches too.
Comment 7 Kyle Huey [:khuey] (khuey@mozilla.com) 2010-11-15 04:14:39 PST
http://hg.mozilla.org/mozilla-central/rev/572b87ce4245
Comment 8 Kyle Huey [:khuey] (khuey@mozilla.com) 2010-11-15 04:42:11 PST
Comment on attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.

This applies cleanly to 1.9.2.  Didn't test 1.9.1 yet because I don't have a tree handy.
Comment 9 Daniel Veditz [:dveditz] 2010-11-15 10:19:28 PST
Comment on attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.

Approved for 1.9.2.13 and 1.9.1.16, a=dveditz for release-drivers

code-freeze for these releases is in 4 days (11/18).

Note You need to log in before you can comment on or make changes to this bug.