RESOLVED FIXED 16189
XMLHttpRequest::setRequestHeader() should not set certain headers 
https://bugs.webkit.org/show_bug.cgi?id=16189
Summary XMLHttpRequest::setRequestHeader() should not set certain headers
Julien Chaffraix
Reported 2007-11-29 05:18:38 PST
The XMLHttpRequest working draft gives a list of headers that should not be set by setRequestHeader() for security reasons. Currently some of them are missing. Mozilla checks for all of them except the ones starting with "Proxy-". Patch & testcase will follow.
Attachments
patch & testcase (5.47 KB, patch)
2007-11-29 07:07 PST, Julien Chaffraix 		mjs: review-
DetailsFormatted DiffDiff
Patch updated with Maciej's comments (5.34 KB, patch)
2007-11-30 10:08 PST, Julien Chaffraix 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Julien Chaffraix
Comment 1 2007-11-29 07:07:32 PST
Created attachment 17591 [details] patch & testcase Add all the headers specified by the draft (even "Proxy-" headers).
Maciej Stachowiak
Comment 2 2007-11-29 18:11:34 PST
Looks great! Minor coding style issue: + static String proxyString; if (forbiddenHeaders.isEmpty()) { forbiddenHeaders.add("accept-charset"); forbiddenHeaders.add("accept-encoding"); + forbiddenHeaders.add("connection"); forbiddenHeaders.add("content-length"); - forbiddenHeaders.add("expect"); + forbiddenHeaders.add("content-transfer-encoding"); forbiddenHeaders.add("date"); + forbiddenHeaders.add("expect"); forbiddenHeaders.add("host"); forbiddenHeaders.add("keep-alive"); forbiddenHeaders.add("referer"); @@ -107,9 +110,11 @@ static bool canSetRequestHeader(const String& name) forbiddenHeaders.add("transfer-encoding"); forbiddenHeaders.add("upgrade"); forbiddenHeaders.add("via"); + + proxyString = String("proxy-"); You could just write static String proxyString("proxy-"), it will still be initialized only once. r- to consider style request, but I'll happily r+ with that revision.
Maciej Stachowiak
Comment 3 2007-11-29 18:12:37 PST
Comment on attachment 17591 [details] patch & testcase As stated above, r- for style issue.
Julien Chaffraix
Comment 4 2007-11-30 10:08:41 PST
Created attachment 17609 [details] Patch updated with Maciej's comments > You could just write static String proxyString("proxy-"), it will still be > initialized only once. I did not know. Thanks for the info !
Mark Rowe (bdash)
Comment 5 2007-12-01 08:51:40 PST
Landed in r28301.
Note You need to log in before you can comment on or make changes to this bug.