Update XHR forbidden headers to latest spec

RESOLVED FIXED in mozilla2.0b8

Status

()

Core
DOM
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: m.cova, Assigned: khuey)

Tracking

Trunk
mozilla2.0b8
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 betaN+, blocking1.9.2 needed, status1.9.2 .13-fixed, blocking1.9.1 needed, status1.9.1 .16-fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

XMLHttpRequest allows dangerous request headers (such as Origin and Access-Control-Request-Method) to be set. This could be used to subvert security checks, under certain conditions.

Other browsers behavior (tested the setting of the Origin header, all on Mac OS X):
- Safari 5.0.2 disallows setting the Origin header
- Chrome 6.0.472.63 disallows setting the Origin header
Relevant WebKit's changeset: http://trac.webkit.org/changeset/41547

Spec reference:
The XMLHttpRequest level 2 specification extends the list of forbidden headers to include, among others, Origin, Access-Control-Request-Headers, Access-Control-Request-Method.

It seems sensible to extend the list of forbidden headers in content/base/src/nsXMLHttpRequest.cpp:SetRequestHeader to match the list provided by the XMLHttpRequest level 2 specification.




Reproducible: Always
(Reporter)

Updated

7 years ago
See Also: → bug 302263

Comment 1

7 years ago
http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#2765
http://www.w3.org/TR/XMLHttpRequest2/#the-setrequestheader-method
Status: UNCONFIRMED → NEW
Component: Security → DOM: Mozilla Extensions
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → general
Version: unspecified → Trunk
Jonas, seems like we should fix this for 2.0.
blocking2.0: --- → ?
Yup, we need to update this list to spec again.
blocking2.0: ? → betaN+
Assignee: nobody → khuey
Created attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.
Comment on attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.

I renamed the test too, because I like tests that have descriptive names.
Attachment #490478 - Flags: review?(jonas)
We probably want to take this on stable branches too.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
OS: Mac OS X → All
Hardware: x86 → All
Attachment #490478 - Flags: review?(jonas) → review+
http://hg.mozilla.org/mozilla-central/rev/572b87ce4245
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Comment on attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.

This applies cleanly to 1.9.2.  Didn't test 1.9.1 yet because I don't have a tree handy.
Attachment #490478 - Flags: approval1.9.2.13?
Attachment #490478 - Flags: approval1.9.1.16?
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
status1.9.1: ? → wanted
status1.9.2: ? → wanted
Comment on attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.

Approved for 1.9.2.13 and 1.9.1.16, a=dveditz for release-drivers

code-freeze for these releases is in 4 days (11/18).
Attachment #490478 - Flags: approval1.9.2.13?
Attachment #490478 - Flags: approval1.9.2.13+
Attachment #490478 - Flags: approval1.9.1.16?
Attachment #490478 - Flags: approval1.9.1.16+
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/c185620e1dd7
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5b998a2bfcc3
status1.9.1: wanted → .16-fixed
status1.9.2: wanted → .13-fixed
Summary: XMLHttpRequest allows the Origin header to be set → Update XHR forbidden headers to latest spec
Component: DOM: Mozilla Extensions → DOM
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.