190133 – [WPE][GTK] Document that webkit_uri_response_get_http_headers() may no longer return all HTTP headers

Bug 190133 - [WPE][GTK] Document that webkit_uri_response_get_http_headers() may no longer return all HTTP headers

Summary: [WPE][GTK] Document that webkit_uri_response_get_http_headers() may no longer...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	Other
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-01 06:18 PDT by Michael Catanzaro
Modified:	2018-10-01 06:18 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2018-10-01 06:18:00 PDT

As a Spectre mitigation, webkit_uri_response_get_http_headers() no longer returns all HTTP headers. E.g. cookie headers are pruned to prevent a website from abusing Spectre to read cookies associated with an iframe from memory.

This is an API break, but it's probably unavoidable. We should document it, though. Problem is it's really hard to use this API if the set of headers that get pruned changes incompatibly in the future versions of WebKit. :/