Closed
Bug 602482
Opened 14 years ago
Closed 14 years ago
Update XHR forbidden headers to latest spec
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla2.0b8
People
(Reporter: m.cova, Assigned: khuey)
References
Details
Attachments
(1 file)
2.30 KB,
patch
|
sicking
:
review+
dveditz
:
approval1.9.2.13+
dveditz
:
approval1.9.1.16+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 XMLHttpRequest allows dangerous request headers (such as Origin and Access-Control-Request-Method) to be set. This could be used to subvert security checks, under certain conditions. Other browsers behavior (tested the setting of the Origin header, all on Mac OS X): - Safari 5.0.2 disallows setting the Origin header - Chrome 6.0.472.63 disallows setting the Origin header Relevant WebKit's changeset: http://trac.webkit.org/changeset/41547 Spec reference: The XMLHttpRequest level 2 specification extends the list of forbidden headers to include, among others, Origin, Access-Control-Request-Headers, Access-Control-Request-Method. It seems sensible to extend the list of forbidden headers in content/base/src/nsXMLHttpRequest.cpp:SetRequestHeader to match the list provided by the XMLHttpRequest level 2 specification. Reproducible: Always
Comment 1•14 years ago
|
||
http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#2765 http://www.w3.org/TR/XMLHttpRequest2/#the-setrequestheader-method
Status: UNCONFIRMED → NEW
Component: Security → DOM: Mozilla Extensions
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → general
Version: unspecified → Trunk
Comment 2•14 years ago
|
||
Jonas, seems like we should fix this for 2.0.
Updated•14 years ago
|
blocking2.0: --- → ?
Yup, we need to update this list to spec again.
blocking2.0: ? → betaN+
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → khuey
Assignee | ||
Comment 4•14 years ago
|
||
Assignee | ||
Comment 5•14 years ago
|
||
Comment on attachment 490478 [details] [diff] [review] Update XHR forbidden headers to latest spec. I renamed the test too, because I like tests that have descriptive names.
Attachment #490478 -
Flags: review?(jonas)
Assignee | ||
Comment 6•14 years ago
|
||
We probably want to take this on stable branches too.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1:
--- → ?
status1.9.2:
--- → ?
OS: Mac OS X → All
Hardware: x86 → All
Attachment #490478 -
Flags: review?(jonas) → review+
Assignee | ||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/572b87ce4245
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Assignee | ||
Comment 8•14 years ago
|
||
Comment on attachment 490478 [details] [diff] [review] Update XHR forbidden headers to latest spec. This applies cleanly to 1.9.2. Didn't test 1.9.1 yet because I don't have a tree handy.
Attachment #490478 -
Flags: approval1.9.2.13?
Attachment #490478 -
Flags: approval1.9.1.16?
Updated•14 years ago
|
Comment 9•14 years ago
|
||
Comment on attachment 490478 [details] [diff] [review] Update XHR forbidden headers to latest spec. Approved for 1.9.2.13 and 1.9.1.16, a=dveditz for release-drivers code-freeze for these releases is in 4 days (11/18).
Attachment #490478 -
Flags: approval1.9.2.13?
Attachment #490478 -
Flags: approval1.9.2.13+
Attachment #490478 -
Flags: approval1.9.1.16?
Attachment #490478 -
Flags: approval1.9.1.16+
Assignee | ||
Comment 10•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/c185620e1dd7 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5b998a2bfcc3
Assignee | ||
Updated•14 years ago
|
Summary: XMLHttpRequest allows the Origin header to be set → Update XHR forbidden headers to latest spec
Updated•11 years ago
|
Component: DOM: Mozilla Extensions → DOM
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•