Bug 6212 - Investigate disallowing some XMLHttpRequest headers from being set via setRequestHeader
Summary: Investigate disallowing some XMLHttpRequest headers from being set via setReq...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2005-12-22 23:12 PST by Alexey Proskuryakov
Modified: 2007-01-15 10:19 PST (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2005-12-22 23:12:19 PST
Firefox blocks setting some XMLHttpRequest  headers for security reasons. All or most of these are 
already overridden by the network layer in WebKit, but that needs to be verified, and the checks should 
probably be added to the cross-platform layer. See:

http://whatwg.org/specs/web-apps/current-work/#setrequestheader
https://bugzilla.mozilla.org/show_bug.cgi?id=302809
https://bugzilla.mozilla.org/show_bug.cgi?id=302263
https://bugzilla.mozilla.org/show_bug.cgi?id=308484
Comment 1 Darin Adler 2005-12-26 17:54:22 PST
I don't necessarily agree that we should add the prohibition to the cross-platform layer.

But it is indeed worth researching this.

I don't really like having a P1 bug for something that might not even be broken, though.
Comment 2 Alexey Proskuryakov 2005-12-26 21:52:58 PST
(In reply to comment #1)
I'm not sure if this counts as broken, but WebKit at least allows overriding Via (https://
bugzilla.mozilla.org/show_bug.cgi?id=302263#c5) and doesn't ignore Content-Length set on empty 
requests (https://bugzilla.mozilla.org/show_bug.cgi?id=302263#c17). Possibly more.
Comment 3 Alice Liu 2006-01-09 16:26:19 PST
<rdar://problem/4403688>
Comment 4 Alexey Proskuryakov 2006-01-15 02:42:54 PST
It is also somewhat unclear how security violations should be handled in different cases (silently ignoring 
vs. throwing).
Comment 5 Darin Adler 2006-01-28 17:35:27 PST
Setting this to P2. If we find any real examples of problems, they might qualify as P1 bugs.
Comment 6 Alexey Proskuryakov 2007-01-15 10:19:15 PST
A fix was committed in revision 18863 (brought in sync with the draft spec).