RESOLVED INVALID 68032
Banned request headers sent in XHR calls to cross-domain targets 
https://bugs.webkit.org/show_bug.cgi?id=68032
Summary Banned request headers sent in XHR calls to cross-domain targets
Venkat Penukonda
Reported 2011-09-13 14:44:08 PDT
1. Launch MiniBrowser browser and load: http://iop4.nokia-boston.com/users/HTML5/xhrSecurity/tests/resources/manual.html 2. Click on each of the links of Link#7, Link#9 to Link#13 3. Result in each of the test pages show failure. … EXPECTED OUTCOME: Should show Success Details: These tests try to detect if the banned headers are sent to a cross-domain target in a XHR request. These headers are: • Accept-Encoding • Accept-Charset • Accept-Language • User-Agent • Referer • Host These are not expected to be sent to a cross-domain target as per Browser security handbook at: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest
Attachments
Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2011-09-13 15:07:58 PDT
Setting those headers should be banned on same-origin requests too. Are you sure you're able to manipulate them to a non-default value?
Adam Barth
Comment 2 2011-09-13 15:10:52 PDT
It would be nice if the server echoed back the header value it received.
Adam Barth
Comment 3 2011-09-13 15:46:47 PDT
(Sorry, I don't mean to complain; I just need a slightly fancier setup to look at this bug.)
Venkat Penukonda
Comment 4 2012-02-27 13:02:04 PST
The test index link is changed. Here is the new URL: http://iop4.nokia-boston.com/users/tests/bug68032/index.html
Alexey Proskuryakov
Comment 5 2012-02-27 13:23:02 PST
These tests do not attempt to send custom header fields, they only check that something was sent. It is forbidden to set these headers to non-default values using XMLHttpRequest.setRequestHeader(), but it's perfectly OK for the browser to provide its own value. Please see <http://dvcs.w3.org/hg/xhr/raw-file/tip/Overview.html> for more detail. • Accept-Language This header field is an exception, authors are actually allowed to change it with XMLHttpRequest.setRequestHeader().
Note You need to log in before you can comment on or make changes to this bug.