Bug 33688

Summary:

Cross-Domain XMLHttpRequest deny allowed headers access

Product:

WebKit

Reporter:

Component:

XML

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED INVALID

Severity:

Normal

CC:

ap, ukai

Priority:

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.6

Attachments:

Description	Flags
XMLHttpRequest cross-domain headers test	none

Description y8 2010-01-14 14:09:59 PST

Refering to Cross-Origin specification (http://www.w3.org/TR/access-control/), "6.1.3 Cross-Origin Request with Preflight", WebKit must allow access to response headers listed in "Access-Control-Allow-Headers" header. 

Example:

1. Create XMLHttpRequest
2. Add "X-Test" header with value "Request" to request. 
3. WebKit make preflight request to  server, and recive valid response with "Access-Control-Allow-Headers: X-Test",
4. WebKit makes normal request to server with "X-Test" header. 
5. Server respond with valid request, and "X-Test: Reply" header
6. getResponseHeader("X-Test") throw Refused to get unsafe header "X-Test"

Test page attached.

Comment 1 y8 2010-01-14 14:11:07 PST

Created attachment 46604 [details]
XMLHttpRequest cross-domain headers test

Comment 2 Alexey Proskuryakov 2010-01-14 15:46:03 PST

The Access-Control-Allow-Headers header only affects what can be put into the request, not what can be read from response. Per the CORS spec, there is no way to get an X-Test response header from a cross-origin request. Please see section 6.1:

-------------------------------------------

User agents must filter out all response headers other than those that are an ASCII case-insensitive match for one of the header field names listed below, before exposing response headers to the APIs defined in the hosting specification:

* Cache-Control
* Content-Language
* Content-Type
* Expires
* Last-Modified
* Pragma

E.g. the getResponseHeader() method of XMLHttpRequest will therefore not expose any header not listed above.