RESOLVED FIXED 6212
Investigate disallowing some XMLHttpRequest headers from being set via setRequestHeader 
https://bugs.webkit.org/show_bug.cgi?id=6212
Summary Investigate disallowing some XMLHttpRequest headers from being set via setReq...
Alexey Proskuryakov
Reported 2005-12-22 23:12:19 PST
Firefox blocks setting some XMLHttpRequest headers for security reasons. All or most of these are already overridden by the network layer in WebKit, but that needs to be verified, and the checks should probably be added to the cross-platform layer. See: http://whatwg.org/specs/web-apps/current-work/#setrequestheader https://bugzilla.mozilla.org/show_bug.cgi?id=302809 https://bugzilla.mozilla.org/show_bug.cgi?id=302263 https://bugzilla.mozilla.org/show_bug.cgi?id=308484
Attachments
Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2005-12-26 17:54:22 PST
I don't necessarily agree that we should add the prohibition to the cross-platform layer. But it is indeed worth researching this. I don't really like having a P1 bug for something that might not even be broken, though.
Alexey Proskuryakov
Comment 2 2005-12-26 21:52:58 PST
(In reply to comment #1) I'm not sure if this counts as broken, but WebKit at least allows overriding Via (https:// bugzilla.mozilla.org/show_bug.cgi?id=302263#c5) and doesn't ignore Content-Length set on empty requests (https://bugzilla.mozilla.org/show_bug.cgi?id=302263#c17). Possibly more.
Alice Liu
Comment 3 2006-01-09 16:26:19 PST
<rdar://problem/4403688>
Alexey Proskuryakov
Comment 4 2006-01-15 02:42:54 PST
It is also somewhat unclear how security violations should be handled in different cases (silently ignoring vs. throwing).
Darin Adler
Comment 5 2006-01-28 17:35:27 PST
Setting this to P2. If we find any real examples of problems, they might qualify as P1 bugs.
Alexey Proskuryakov
Comment 6 2007-01-15 10:19:15 PST
A fix was committed in revision 18863 (brought in sync with the draft spec).
Note You need to log in before you can comment on or make changes to this bug.