Bug 128533

Summary:

XMLHttpRequest should not set DNT header

Product:

WebKit

Reporter:

youenn fablet <youennf>

Component:

XML

Assignee:

youenn fablet <youennf>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, commit-queue, darin

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description youenn fablet 2014-02-10 07:54:11 PST

Scripts should not be able to set the DNT (Do Not Track) header of a HTTP request using XMLHttpRequest (except if priviledged).

Comment 1 youenn fablet 2014-02-10 08:34:04 PST

Created attachment 223717 [details]
Patch

Comment 2 Darin Adler 2014-02-11 09:29:09 PST

Why?

Comment 3 youenn fablet 2014-02-11 12:10:06 PST

The DNT header should be set by web engines according user preferences.
That includes all HTTP requests, including XHR requests.
Unpriviledged web apps should not be allowed to override/interfere with user preferences.

A simple way to handle that is to disallow XHR to set the DNT header, as specified in http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader()-method.

Mozilla seems to implement that behavior.
Blink seems to allow setting the DNT header.
I do not know what others do.

The bug title is a bit misleading, I will change it (s/send/set/).

Comment 4 Alexey Proskuryakov 2014-02-11 13:10:09 PST

Comment on attachment 223717 [details]
Patch

The short answer is that the XHR spec currently says so. "Terminate these steps if header is a case-insensitive match for one of the following headers: <...>"

Comment 5 WebKit Commit Bot 2014-02-11 15:57:29 PST

Comment on attachment 223717 [details]
Patch

Clearing flags on attachment: 223717

Committed r163915: <http://trac.webkit.org/changeset/163915>

Comment 6 WebKit Commit Bot 2014-02-11 15:57:31 PST

All reviewed patches have been landed.  Closing bug.