Closed Bug 602482 Opened 14 years ago Closed 14 years ago

Update XHR forbidden headers to latest spec

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b8
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
blocking1.9.2 --- needed
status1.9.2 --- .13-fixed
blocking1.9.1 --- needed
status1.9.1 --- .16-fixed

People

(Reporter: m.cova, Assigned: khuey)

References

Details

Attachments

(1 file)

Update XHR forbidden headers to latest spec.
2.30 KB, patch
sicking
: review+
dveditz
: approval1.9.2.13+
dveditz
: approval1.9.1.16+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

XMLHttpRequest allows dangerous request headers (such as Origin and Access-Control-Request-Method) to be set. This could be used to subvert security checks, under certain conditions.

Other browsers behavior (tested the setting of the Origin header, all on Mac OS X):
- Safari 5.0.2 disallows setting the Origin header
- Chrome 6.0.472.63 disallows setting the Origin header
Relevant WebKit's changeset: http://trac.webkit.org/changeset/41547

Spec reference:
The XMLHttpRequest level 2 specification extends the list of forbidden headers to include, among others, Origin, Access-Control-Request-Headers, Access-Control-Request-Method.

It seems sensible to extend the list of forbidden headers in content/base/src/nsXMLHttpRequest.cpp:SetRequestHeader to match the list provided by the XMLHttpRequest level 2 specification.




Reproducible: Always
See Also: → 302263
http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#2765
http://www.w3.org/TR/XMLHttpRequest2/#the-setrequestheader-method
Status: UNCONFIRMED → NEW
Component: Security → DOM: Mozilla Extensions
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → general
Version: unspecified → Trunk
Jonas, seems like we should fix this for 2.0.
blocking2.0: --- → ?
Yup, we need to update this list to spec again.
blocking2.0: ? → betaN+
Assignee: nobody → khuey
Comment on attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.

I renamed the test too, because I like tests that have descriptive names.
Attachment #490478 - Flags: review?(jonas)
We probably want to take this on stable branches too.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
OS: Mac OS X → All
Hardware: x86 → All
http://hg.mozilla.org/mozilla-central/rev/572b87ce4245
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Comment on attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.

This applies cleanly to 1.9.2.  Didn't test 1.9.1 yet because I don't have a tree handy.
Attachment #490478 - Flags: approval1.9.2.13?
Attachment #490478 - Flags: approval1.9.1.16?
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
status1.9.1: ?wanted
status1.9.2: ?wanted
Comment on attachment 490478 [details] [diff] [review]
Update XHR forbidden headers to latest spec.

Approved for 1.9.2.13 and 1.9.1.16, a=dveditz for release-drivers

code-freeze for these releases is in 4 days (11/18).
Attachment #490478 - Flags: approval1.9.2.13?
Attachment #490478 - Flags: approval1.9.2.13+
Attachment #490478 - Flags: approval1.9.1.16?
Attachment #490478 - Flags: approval1.9.1.16+
Summary: XMLHttpRequest allows the Origin header to be set → Update XHR forbidden headers to latest spec
Component: DOM: Mozilla Extensions → DOM
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: