Bug 272740
| Summary: | NUL bytes in header values allowed for fetch-API | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | jannis.rautenstrauch |
| Component: | DOM | Assignee: | youenn fablet <youennf> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | achristensen, annevk, cdumez, karlcow, mike, webkit-bug-importer, youennf |
| Priority: | P2 | Keywords: | BrowserCompat, InRadar |
| Version: | Safari 17 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://github.com/web-platform-tests/wpt/pull/45980 | ||
jannis.rautenstrauch
Fetching a resource that contains a NUL byte in a header value using the fetch API does not result in an error in WebKit and even things such as HSTS work on such responses.
Firefox and Chromium throw a network error for such cases.
Example response: `strict-transport-security: max-age=20; in\u0000cludeSubDomains`
Example URL: http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=parsing&browser_id=1&label=HSTS&first_id=32575&last_id=32575&scheme=http&t_resp_id=32575&t_element_relation=direct_direct&t_resp_origin=https://sub.headers.websec.saarland
Seems to only be happening for `fetch`, img responses with \x00 in a header value seem to be blocked: https://bugs.webkit.org/show_bug.cgi?id=272739
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/126913166>
youenn fablet
This seems to be restricted to no-cors case, where we do a sanitization in networking process, while we should check for nul headers in the response before.
youenn fablet
Pull request: https://github.com/WebKit/WebKit/pull/27869
youenn fablet
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/45980
EWS
Committed 278389@main (85f98322e6a6): <https://commits.webkit.org/278389@main>
Reviewed commits have been landed. Closing PR #27869 and removing active labels.