[gwt-contrib] Firefox 3.5 allows cross site XHRs

Tue, 29 Sep 2009 11:49:09 -0700 

Reviewers: Ray Ryan,

Description:
Description:
===========
Firefox 3.5 allows cross site XHR requests without any way to disable
the option.  Only the server can deny the request.

Fix:
====
Fixed RequestBuilderTest to check for FF3.5. We currently do the same
for Safari 2, which fails silently.

Please review this at http://gwt-code-reviews.appspot.com/73802

Affected files:
   user/test/com/google/gwt/http/client/RequestBuilderTest.java


Index: user/test/com/google/gwt/http/client/RequestBuilderTest.java
===================================================================
--- user/test/com/google/gwt/http/client/RequestBuilderTest.java        
(revision  
6245)
+++ user/test/com/google/gwt/http/client/RequestBuilderTest.java        
(working  
copy)
@@ -45,6 +45,25 @@
      return ua.indexOf("webkit") != -1;
    }-*/;

+  /**
+   * HACK: Part of a work around for FF 3.5's failure to throw an  
exception when
+   * an XmlHttpRequest that violates the same origin policy is made.
+   */
+  private static native boolean isFirefox35() /*-{
+    var ua = navigator.userAgent.toLowerCase();
+    if (ua.indexOf("gecko") == -1) {
+      return false;
+    }
+    var result = /firefox\/([0-9]+\.[0-9]+)/.exec(ua.toLowerCase());
+    if (result && result.length == 2) {
+      var version = parseFloat(result[1]);
+      if (version >= 3.5) {
+        return true;
+      }
+    }
+    return false;
+  }-*/;
+
    @Override
    public String getModuleName() {
      return "com.google.gwt.http.RequestBuilderTest";
@@ -109,13 +128,17 @@
          }
        });

-      if (isSafari()) {
+      if (isSafari() || isFirefox35()) {
          /*
           * HACK: Safari 2.0.4 will not throw an exception for XHR's that  
violate
           * the same-origin policy. It appears to silently ignore them so  
we do
           * not fail this test if we are on Safari and the
           * RequestPermissionException is not thrown. Even though Safari  
3.0.4
           * does throw an exception in this case, we exclude it anyway.
+         *
+         * FF3.5 allows XHR's to violate the same-origin policy and offers  
no
+         * way to disable the feature from the client. Only the server can  
block
+         * the same origin policy.
           */
        } else {
          /*



--~--~---------~--~----~------------~-------~--~----~
http://groups.google.com/group/Google-Web-Toolkit-Contributors
-~----------~----~----~----~------~----~------~--~---

Reply via email to