WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED INVALID
59819
Sync XHRs are rejected when the cases of the origin and destination hosts are different
https://bugs.webkit.org/show_bug.cgi?id=59819
Summary
Sync XHRs are rejected when the cases of the origin and destination hosts are...
Jessie Berlin
Reported
2011-04-29 12:02:02 PDT
protocolHostAndPortAreEqual fails when comparing
http://www.webkit.org
and
http://www.webKit.org
. This causes the sync loader clients on Mac and Windows to reject XHRs from an origin with domain a to an origin with domain A.
Attachments
Add attachment
proposed patch, testcase, etc.
Jessie Berlin
Comment 1
2011-04-29 12:02:48 PDT
<
rdar://problem/9359829
>
Jessie Berlin
Comment 2
2011-04-29 12:17:42 PDT
On IRC, Adam Barth commented: Normal URLs have case-insensitive host names there's some scheme used in the Safari extensions system that has a case-sensitive "host" name but that should probably be an exception (it's a dangerous design that won't play nicely with other folks who interpret URLs) But he also pointed out that maybe we should not be using protocolHostAndPortAreEqual because we should be asking the SecurityOrigin about security issues.
Jessie Berlin
Comment 3
2011-04-29 13:27:05 PDT
Further IRC discussion: abarth: I think that the answer is to use SecurityOrigin::canRequest() when checking for redirects during XMLHttpRequest (and eventually, we need to stop blocking redirects, and implement what the spec says) <abarth> that should work <ap> abarth: we also need to audit all other uses of protocolHostAndPortAreEqual() which is only used in appcache code, and probably replace all those with SecurityOrigin invocations
youenn fablet
Comment 4
2020-07-27 00:39:40 PDT
Doing a quick test, Firefox, Chrome and Safari are consistently rejecting this. String comparison is done in passesAccessControlCheck between the header value and the serialised security origin. This aligns with my reading of
https://fetch.spec.whatwg.org/#cors-check
, which is basically comparing the header value (might have any case) with a byte serialised origin (this one being always lowercased I believe).
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug