RESOLVED FIXED 128533
XMLHttpRequest should not set DNT header 
https://bugs.webkit.org/show_bug.cgi?id=128533
Summary XMLHttpRequest should not set DNT header
youenn fablet
Reported 2014-02-10 07:54:11 PST
Scripts should not be able to set the DNT (Do Not Track) header of a HTTP request using XMLHttpRequest (except if priviledged).
Attachments
Patch (3.70 KB, patch)
2014-02-10 08:34 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2014-02-10 08:34:04 PST
Created attachment 223717 [details] Patch
Darin Adler
Comment 2 2014-02-11 09:29:09 PST
Why?
youenn fablet
Comment 3 2014-02-11 12:10:06 PST
The DNT header should be set by web engines according user preferences. That includes all HTTP requests, including XHR requests. Unpriviledged web apps should not be allowed to override/interfere with user preferences. A simple way to handle that is to disallow XHR to set the DNT header, as specified in http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader()-method. Mozilla seems to implement that behavior. Blink seems to allow setting the DNT header. I do not know what others do. The bug title is a bit misleading, I will change it (s/send/set/).
Alexey Proskuryakov
Comment 4 2014-02-11 13:10:09 PST
Comment on attachment 223717 [details] Patch The short answer is that the XHR spec currently says so. "Terminate these steps if header is a case-insensitive match for one of the following headers: <...>"
WebKit Commit Bot
Comment 5 2014-02-11 15:57:29 PST
Comment on attachment 223717 [details] Patch Clearing flags on attachment: 223717 Committed r163915: <http://trac.webkit.org/changeset/163915>
WebKit Commit Bot
Comment 6 2014-02-11 15:57:31 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.