Summary: | Investigate disallowing some XMLHttpRequest headers from being set via setRequestHeader | ||
---|---|---|---|
Product: | WebKit | Reporter: | Alexey Proskuryakov <ap> |
Component: | XML | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | Normal | CC: | alice.barraclough, bugs-webkit, ian |
Priority: | P2 | Keywords: | InRadar |
Version: | 420+ | ||
Hardware: | Mac | ||
OS: | OS X 10.4 |
Description
Alexey Proskuryakov
2005-12-22 23:12:19 PST
I don't necessarily agree that we should add the prohibition to the cross-platform layer. But it is indeed worth researching this. I don't really like having a P1 bug for something that might not even be broken, though. (In reply to comment #1) I'm not sure if this counts as broken, but WebKit at least allows overriding Via (https:// bugzilla.mozilla.org/show_bug.cgi?id=302263#c5) and doesn't ignore Content-Length set on empty requests (https://bugzilla.mozilla.org/show_bug.cgi?id=302263#c17). Possibly more. It is also somewhat unclear how security violations should be handled in different cases (silently ignoring vs. throwing). Setting this to P2. If we find any real examples of problems, they might qualify as P1 bugs. A fix was committed in revision 18863 (brought in sync with the draft spec). |