RESOLVED INVALID 33688
Cross-Domain XMLHttpRequest deny allowed headers access 
https://bugs.webkit.org/show_bug.cgi?id=33688
Summary Cross-Domain XMLHttpRequest deny allowed headers access
y8
Reported 2010-01-14 14:09:59 PST
Refering to Cross-Origin specification (http://www.w3.org/TR/access-control/), "6.1.3 Cross-Origin Request with Preflight", WebKit must allow access to response headers listed in "Access-Control-Allow-Headers" header. Example: 1. Create XMLHttpRequest 2. Add "X-Test" header with value "Request" to request. 3. WebKit make preflight request to server, and recive valid response with "Access-Control-Allow-Headers: X-Test", 4. WebKit makes normal request to server with "X-Test" header. 5. Server respond with valid request, and "X-Test: Reply" header 6. getResponseHeader("X-Test") throw Refused to get unsafe header "X-Test" Test page attached.
Attachments
XMLHttpRequest cross-domain headers test (2.47 KB, text/html)
2010-01-14 14:11 PST, y8 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
y8
Comment 1 2010-01-14 14:11:07 PST
Created attachment 46604 [details] XMLHttpRequest cross-domain headers test
Alexey Proskuryakov
Comment 2 2010-01-14 15:46:03 PST
The Access-Control-Allow-Headers header only affects what can be put into the request, not what can be read from response. Per the CORS spec, there is no way to get an X-Test response header from a cross-origin request. Please see section 6.1: ------------------------------------------- User agents must filter out all response headers other than those that are an ASCII case-insensitive match for one of the header field names listed below, before exposing response headers to the APIs defined in the hosting specification: * Cache-Control * Content-Language * Content-Type * Expires * Last-Modified * Pragma E.g. the getResponseHeader() method of XMLHttpRequest will therefore not expose any header not listed above.
Note You need to log in before you can comment on or make changes to this bug.