RESOLVED FIXED 75089
Access-Control-Request-Headers values should be lowercase
https://bugs.webkit.org/show_bug.cgi?id=75089
Summary Access-Control-Request-Headers values should be lowercase
Boris Zbarsky
Reported 2011-12-22 07:40:35 PST
Spec says: If author request headers is not empty include an Access-Control-Request-Headers header with as header field value a comma-separated list of the header field names from author request headers in lexicographical order, each converted to ASCII lowercase (even when one or more are a simple header). That's not what WebKit does, apparently. See thread starting http://lists.w3.org/Archives/Public/public-webapps/2011OctDec/1672.html This is causing a certain amount of author confusion, especially since other UAs get this right.
Attachments
Patch1 (1.68 KB, patch)
2012-01-16 20:52 PST, Joe Thomas
abarth: review-
Patch2 (5.78 KB, patch)
2012-01-17 18:05 PST, Joe Thomas
ap: review+
patch3 (5.87 KB, patch)
2012-01-17 20:08 PST, Joe Thomas
no flags
Alexey Proskuryakov
Comment 1 2011-12-22 10:50:07 PST
Julian disagrees with this spec provision: <https://www.w3.org/Bugs/Public/show_bug.cgi?id=15312>. Seems OK to change WebKit behavior, although that should really make no difference, as servers must do case insensitive comparison anyway.
Joe Thomas
Comment 2 2012-01-16 20:52:25 PST
Created attachment 122708 [details] Patch1 + No new tests, as servers must do case-insensitive comparison. Just wondering what kind of regression test can be added for this?
Alexey Proskuryakov
Comment 3 2012-01-16 22:20:47 PST
We have our own server for testing, so it should be possible to make it verify this.
Adam Barth
Comment 4 2012-01-17 01:22:25 PST
Comment on attachment 122708 [details] Patch1 This should be testable. If you look in the LayoutTests/http/tests directory, you should find some perl or PHP scripts that run on the test server. They can see the case sensitive version of Access-Control-Request-Headers.
Joe Thomas
Comment 5 2012-01-17 18:05:33 PST
Created attachment 122853 [details] Patch2 Added test case to verify that server receives the Access-Control-Request-Headers in lowercase. Also verified it using the IP logs captured with Wireshark.
Alexey Proskuryakov
Comment 6 2012-01-17 18:37:48 PST
Comment on attachment 122853 [details] Patch2 View in context: https://bugs.webkit.org/attachment.cgi?id=122853&action=review > LayoutTests/http/tests/xmlhttprequest/resources/access-control-preflight-request-header-lowercase.php:14 > + if (strcasecmp($_SERVER["HTTP_X_CUSTOM_HEADER"], "fooBAR") == 0) I'm not sure what the point of this case insensitive comparison is.
Joe Thomas
Comment 7 2012-01-17 20:08:31 PST
Joe Thomas
Comment 8 2012-01-17 20:09:40 PST
(In reply to comment #6) > (From update of attachment 122853 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=122853&action=review > > > LayoutTests/http/tests/xmlhttprequest/resources/access-control-preflight-request-header-lowercase.php:14 > > + if (strcasecmp($_SERVER["HTTP_X_CUSTOM_HEADER"], "fooBAR") == 0) > > I'm not sure what the point of this case insensitive comparison is. No specific reason. I changed this to if (isset($_SERVER["HTTP_X_CUSTOM_HEADER"]))
Alexey Proskuryakov
Comment 9 2012-01-17 21:00:09 PST
Comment on attachment 122864 [details] patch3 Thank you.
WebKit Review Bot
Comment 10 2012-01-17 22:06:23 PST
Comment on attachment 122864 [details] patch3 Clearing flags on attachment: 122864 Committed r105242: <http://trac.webkit.org/changeset/105242>
Joe Thomas
Comment 11 2012-01-18 14:43:17 PST
Comment on attachment 122853 [details] Patch2 making patch2 obsolete
Alexey Proskuryakov
Comment 12 2012-01-18 15:22:05 PST
Commit queue did not close this bug, but it doesn't appear that there is anything else to do here.
Note You need to log in before you can comment on or make changes to this bug.