Bug 179475 - [SOUP] Case of request headers depends on global state in libsoup
Summary: [SOUP] Case of request headers depends on global state in libsoup
Status: RESOLVED MOVED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-09 05:09 PST by Ms2ger (he/him; ⌚ UTC+1/+2)
Modified: 2018-01-03 09:11 PST (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ms2ger (he/him; ⌚ UTC+1/+2) 2017-11-09 05:09:35 PST
http://w3c-test.org/fetch/api/basic/request-headers-case.any.html

soup_message_headers_append interns the header name case-insensitively, and always uses the casing it got in the first call. This means that

fetch("..", {headers: [["TEST", 1]] })
fetch("..", {headers: [["test", 1]] })

will the same header name twice. The name might be "TEST", or it might be any other casing which any other web page has used during the runtime of the browser.

This also provides a way of cross-origin communication: if a web page A uses a sufficiently unique header name in a particular casing, another web page B can check if page A was loaded before page B by checking what happens when using the header name in a different casing.
Comment 1 Michael Catanzaro 2017-11-09 07:44:17 PST
Wow, good find!

I don't think there is anything to change in WebKit here. Do you want to report this on GNOME Bugzilla?

Anyway, the fix would surely be in soup-message-headers.c:

static const char *
intern_header_name (const char *name, SoupHeaderSetter *setter)
{
	// ...

	if (!header_pool) {
		header_pool = g_hash_table_new (soup_str_case_hash, soup_str_case_equal);

	// ...
}

Presumably that would need to be changed to:

	header_pool = g_hash_table_new (g_str_hash, g_str_equal);

But we should probably audit other uses of soup_str_case_hash and soup_str_case_equal to ensure they are appropriate.
Comment 2 Michael Catanzaro 2017-11-09 08:20:17 PST
danw	the "cross-origin communication" idea seems a little crazy, but people have done crazier stuff... I'd say file a libsoup bug yeah. you can't just change intern_header_name to be non-case-sensitive though. that would definitely break things
mcatanzaro	What sort of things?
danw	eg, when you call soup_message_headers_get_content_type(), it has to return the content type whether it was specified as "Content-Type" or "CONTENT-type"
I guess if you want to fix it, the fix would be to not intern header names at all. just copy both name and value, and use g_ascii_strcasecmp() rather than pointer equality to compare header names when needed
Comment 3 Michael Catanzaro 2017-12-07 07:58:29 PST
This is a bug in libsoup, not in WebKit. This report needs to be moved to GNOME Bugzilla.