- Revision
- 222807
- Author
- [email protected]
- Date
- 2017-10-03 13:55:59 -0700 (Tue, 03 Oct 2017)
Log Message
XMLHttpRequest.setRequestHeader() should allow Content-Transfer-Encoding header; remove
duplicate logic to check for a forbidden XHR header field
https://bugs.webkit.org/show_bug.cgi?id=177829
Reviewed by Alexey Proskuryakov.
Source/WebCore:
Use isForbiddenHeaderName() (defined in HTTPParsers.h) to check if the header field specified
to XMLHttpRequest.setRequestHeader() is allowed. Among other benefits this makes the behavior
of XMLHttpRequest.setRequestHeader() more closely aligned with the behavior of this method in
the XHR standard, <https://xhr.spec.whatwg.org> (8 September 2017). In particular, XMLHttpRequest.setRequestHeader()
no longer forbids setting the header Content-Transfer-Encoding. This header has not been
considered a forbidden header since <https://www.w3.org/TR/2012/WD-XMLHttpRequest-20121206/>.
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::setRequestHeader):
(WebCore::isForbiddenRequestHeader): Deleted.
(WebCore::XMLHttpRequest::isAllowedHTTPHeader): Deleted.
* xml/XMLHttpRequest.h:
LayoutTests:
Update tests and test results now that we no longer consider Content-Transfer-Encoding a
forbidden header.
* fast/xmlhttprequest/set-dangerous-headers-expected.txt:
* fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html:
* fast/xmlhttprequest/set-dangerous-headers.html:
* http/tests/xmlhttprequest/set-dangerous-headers-expected.txt:
* http/tests/xmlhttprequest/set-dangerous-headers.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (222806 => 222807)
--- trunk/LayoutTests/ChangeLog 2017-10-03 20:51:00 UTC (rev 222806)
+++ trunk/LayoutTests/ChangeLog 2017-10-03 20:55:59 UTC (rev 222807)
@@ -1,3 +1,20 @@
+2017-10-03 Daniel Bates <[email protected]>
+
+ XMLHttpRequest.setRequestHeader() should allow Content-Transfer-Encoding header; remove
+ duplicate logic to check for a forbidden XHR header field
+ https://bugs.webkit.org/show_bug.cgi?id=177829
+
+ Reviewed by Alexey Proskuryakov.
+
+ Update tests and test results now that we no longer consider Content-Transfer-Encoding a
+ forbidden header.
+
+ * fast/xmlhttprequest/set-dangerous-headers-expected.txt:
+ * fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html:
+ * fast/xmlhttprequest/set-dangerous-headers.html:
+ * http/tests/xmlhttprequest/set-dangerous-headers-expected.txt:
+ * http/tests/xmlhttprequest/set-dangerous-headers.html:
+
2017-10-03 Joseph Pecoraro <[email protected]>
Unreviewed test gardening. Add debugging to flakey test.
Modified: trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-expected.txt (222806 => 222807)
--- trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-expected.txt 2017-10-03 20:51:00 UTC (rev 222806)
+++ trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-expected.txt 2017-10-03 20:55:59 UTC (rev 222807)
@@ -4,26 +4,24 @@
CONSOLE MESSAGE: line 15: Refused to set unsafe header "ACCESS-CONTROL-REQUEST-METHOD"
CONSOLE MESSAGE: line 21: Refused to set unsafe header "CONNECTION"
CONSOLE MESSAGE: line 22: Refused to set unsafe header "CONTENT-LENGTH"
-CONSOLE MESSAGE: line 23: Refused to set unsafe header "CONTENT-TRANSFER-ENCODING"
-CONSOLE MESSAGE: line 24: Refused to set unsafe header "COOKIE"
-CONSOLE MESSAGE: line 25: Refused to set unsafe header "COOKIE2"
-CONSOLE MESSAGE: line 26: Refused to set unsafe header "DATE"
-CONSOLE MESSAGE: line 27: Refused to set unsafe header "DNT"
-CONSOLE MESSAGE: line 28: Refused to set unsafe header "EXPECT"
-CONSOLE MESSAGE: line 29: Refused to set unsafe header "HOST"
-CONSOLE MESSAGE: line 30: Refused to set unsafe header "KEEP-ALIVE"
-CONSOLE MESSAGE: line 31: Refused to set unsafe header "ORIGIN"
-CONSOLE MESSAGE: line 32: Refused to set unsafe header "REFERER"
-CONSOLE MESSAGE: line 33: Refused to set unsafe header "TE"
-CONSOLE MESSAGE: line 34: Refused to set unsafe header "TRAILER"
-CONSOLE MESSAGE: line 35: Refused to set unsafe header "TRANSFER-ENCODING"
-CONSOLE MESSAGE: line 36: Refused to set unsafe header "UPGRADE"
-CONSOLE MESSAGE: line 37: Refused to set unsafe header "USER-AGENT"
-CONSOLE MESSAGE: line 38: Refused to set unsafe header "VIA"
-CONSOLE MESSAGE: line 40: Refused to set unsafe header "Proxy-"
-CONSOLE MESSAGE: line 41: Refused to set unsafe header "Proxy-test"
-CONSOLE MESSAGE: line 42: Refused to set unsafe header "PROXY-FOO"
-CONSOLE MESSAGE: line 44: Refused to set unsafe header "Sec-"
-CONSOLE MESSAGE: line 45: Refused to set unsafe header "Sec-test"
-CONSOLE MESSAGE: line 46: Refused to set unsafe header "SEC-FOO"
+CONSOLE MESSAGE: line 25: Refused to set unsafe header "COOKIE"
+CONSOLE MESSAGE: line 26: Refused to set unsafe header "COOKIE2"
+CONSOLE MESSAGE: line 27: Refused to set unsafe header "DATE"
+CONSOLE MESSAGE: line 28: Refused to set unsafe header "DNT"
+CONSOLE MESSAGE: line 29: Refused to set unsafe header "EXPECT"
+CONSOLE MESSAGE: line 30: Refused to set unsafe header "HOST"
+CONSOLE MESSAGE: line 31: Refused to set unsafe header "KEEP-ALIVE"
+CONSOLE MESSAGE: line 32: Refused to set unsafe header "ORIGIN"
+CONSOLE MESSAGE: line 33: Refused to set unsafe header "REFERER"
+CONSOLE MESSAGE: line 34: Refused to set unsafe header "TE"
+CONSOLE MESSAGE: line 35: Refused to set unsafe header "TRAILER"
+CONSOLE MESSAGE: line 36: Refused to set unsafe header "TRANSFER-ENCODING"
+CONSOLE MESSAGE: line 37: Refused to set unsafe header "UPGRADE"
+CONSOLE MESSAGE: line 39: Refused to set unsafe header "VIA"
+CONSOLE MESSAGE: line 41: Refused to set unsafe header "Proxy-"
+CONSOLE MESSAGE: line 42: Refused to set unsafe header "Proxy-test"
+CONSOLE MESSAGE: line 43: Refused to set unsafe header "PROXY-FOO"
+CONSOLE MESSAGE: line 45: Refused to set unsafe header "Sec-"
+CONSOLE MESSAGE: line 46: Refused to set unsafe header "Sec-test"
+CONSOLE MESSAGE: line 47: Refused to set unsafe header "SEC-FOO"
Test that setRequestHeader() cannot be used to alter security-sensitive headers. This test PASSED if you see console warnings.
Modified: trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html (222806 => 222807)
--- trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html 2017-10-03 20:51:00 UTC (rev 222806)
+++ trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html 2017-10-03 20:55:59 UTC (rev 222807)
@@ -22,7 +22,6 @@
req.setRequestHeader("AUTHORIZATION", "baz");
req.setRequestHeader("CONNECTION", "foobar");
req.setRequestHeader("CONTENT-LENGTH", "123456");
- req.setRequestHeader("CONTENT-TRANSFER-ENCODING", "foobar");
req.setRequestHeader("COOKIE", "foobar");
req.setRequestHeader("COOKIE2", "foobar");
req.setRequestHeader("DATE", "foobar");
Modified: trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers.html (222806 => 222807)
--- trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers.html 2017-10-03 20:51:00 UTC (rev 222806)
+++ trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers.html 2017-10-03 20:55:59 UTC (rev 222807)
@@ -20,7 +20,6 @@
req.setRequestHeader("AUTHORIZATION", "baz");
req.setRequestHeader("CONNECTION", "foobar");
req.setRequestHeader("CONTENT-LENGTH", "123456");
- req.setRequestHeader("CONTENT-TRANSFER-ENCODING", "foobar");
req.setRequestHeader("COOKIE", "foobar");
req.setRequestHeader("COOKIE2", "foobar");
req.setRequestHeader("DATE", "foobar");
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers-expected.txt (222806 => 222807)
--- trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers-expected.txt 2017-10-03 20:51:00 UTC (rev 222806)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers-expected.txt 2017-10-03 20:55:59 UTC (rev 222807)
@@ -4,28 +4,26 @@
CONSOLE MESSAGE: line 15: Refused to set unsafe header "ACCESS-CONTROL-REQUEST-METHOD"
CONSOLE MESSAGE: line 21: Refused to set unsafe header "CONNECTION"
CONSOLE MESSAGE: line 22: Refused to set unsafe header "CONTENT-LENGTH"
-CONSOLE MESSAGE: line 23: Refused to set unsafe header "CONTENT-TRANSFER-ENCODING"
-CONSOLE MESSAGE: line 24: Refused to set unsafe header "COOKIE"
-CONSOLE MESSAGE: line 25: Refused to set unsafe header "COOKIE2"
-CONSOLE MESSAGE: line 26: Refused to set unsafe header "DATE"
-CONSOLE MESSAGE: line 27: Refused to set unsafe header "DNT"
-CONSOLE MESSAGE: line 28: Refused to set unsafe header "EXPECT"
-CONSOLE MESSAGE: line 29: Refused to set unsafe header "HOST"
-CONSOLE MESSAGE: line 30: Refused to set unsafe header "KEEP-ALIVE"
-CONSOLE MESSAGE: line 31: Refused to set unsafe header "ORIGIN"
-CONSOLE MESSAGE: line 32: Refused to set unsafe header "REFERER"
-CONSOLE MESSAGE: line 33: Refused to set unsafe header "TE"
-CONSOLE MESSAGE: line 34: Refused to set unsafe header "TRAILER"
-CONSOLE MESSAGE: line 35: Refused to set unsafe header "TRANSFER-ENCODING"
-CONSOLE MESSAGE: line 36: Refused to set unsafe header "UPGRADE"
-CONSOLE MESSAGE: line 37: Refused to set unsafe header "USER-AGENT"
-CONSOLE MESSAGE: line 38: Refused to set unsafe header "VIA"
-CONSOLE MESSAGE: line 40: Refused to set unsafe header "Proxy-"
-CONSOLE MESSAGE: line 41: Refused to set unsafe header "Proxy-test"
-CONSOLE MESSAGE: line 42: Refused to set unsafe header "PROXY-FOO"
-CONSOLE MESSAGE: line 44: Refused to set unsafe header "Sec-"
-CONSOLE MESSAGE: line 45: Refused to set unsafe header "Sec-test"
-CONSOLE MESSAGE: line 46: Refused to set unsafe header "SEC-FOO"
+CONSOLE MESSAGE: line 25: Refused to set unsafe header "COOKIE"
+CONSOLE MESSAGE: line 26: Refused to set unsafe header "COOKIE2"
+CONSOLE MESSAGE: line 27: Refused to set unsafe header "DATE"
+CONSOLE MESSAGE: line 28: Refused to set unsafe header "DNT"
+CONSOLE MESSAGE: line 29: Refused to set unsafe header "EXPECT"
+CONSOLE MESSAGE: line 30: Refused to set unsafe header "HOST"
+CONSOLE MESSAGE: line 31: Refused to set unsafe header "KEEP-ALIVE"
+CONSOLE MESSAGE: line 32: Refused to set unsafe header "ORIGIN"
+CONSOLE MESSAGE: line 33: Refused to set unsafe header "REFERER"
+CONSOLE MESSAGE: line 34: Refused to set unsafe header "TE"
+CONSOLE MESSAGE: line 35: Refused to set unsafe header "TRAILER"
+CONSOLE MESSAGE: line 36: Refused to set unsafe header "TRANSFER-ENCODING"
+CONSOLE MESSAGE: line 37: Refused to set unsafe header "UPGRADE"
+CONSOLE MESSAGE: line 39: Refused to set unsafe header "VIA"
+CONSOLE MESSAGE: line 41: Refused to set unsafe header "Proxy-"
+CONSOLE MESSAGE: line 42: Refused to set unsafe header "Proxy-test"
+CONSOLE MESSAGE: line 43: Refused to set unsafe header "PROXY-FOO"
+CONSOLE MESSAGE: line 45: Refused to set unsafe header "Sec-"
+CONSOLE MESSAGE: line 46: Refused to set unsafe header "Sec-test"
+CONSOLE MESSAGE: line 47: Refused to set unsafe header "SEC-FOO"
Test that setRequestHeader cannot be used to alter security-sensitive headers.
SUCCESS
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers.html (222806 => 222807)
--- trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers.html 2017-10-03 20:51:00 UTC (rev 222806)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers.html 2017-10-03 20:55:59 UTC (rev 222807)
@@ -20,7 +20,6 @@
req.setRequestHeader("AUTHORIZATION", "baz");
req.setRequestHeader("CONNECTION", "foobar");
req.setRequestHeader("CONTENT-LENGTH", "123456");
- req.setRequestHeader("CONTENT-TRANSFER-ENCODING", "foobar");
req.setRequestHeader("COOKIE", "foobar");
req.setRequestHeader("COOKIE2", "foobar");
req.setRequestHeader("DATE", "foobar");
Modified: trunk/Source/WebCore/ChangeLog (222806 => 222807)
--- trunk/Source/WebCore/ChangeLog 2017-10-03 20:51:00 UTC (rev 222806)
+++ trunk/Source/WebCore/ChangeLog 2017-10-03 20:55:59 UTC (rev 222807)
@@ -1,3 +1,24 @@
+2017-10-03 Daniel Bates <[email protected]>
+
+ XMLHttpRequest.setRequestHeader() should allow Content-Transfer-Encoding header; remove
+ duplicate logic to check for a forbidden XHR header field
+ https://bugs.webkit.org/show_bug.cgi?id=177829
+
+ Reviewed by Alexey Proskuryakov.
+
+ Use isForbiddenHeaderName() (defined in HTTPParsers.h) to check if the header field specified
+ to XMLHttpRequest.setRequestHeader() is allowed. Among other benefits this makes the behavior
+ of XMLHttpRequest.setRequestHeader() more closely aligned with the behavior of this method in
+ the XHR standard, <https://xhr.spec.whatwg.org> (8 September 2017). In particular, XMLHttpRequest.setRequestHeader()
+ no longer forbids setting the header Content-Transfer-Encoding. This header has not been
+ considered a forbidden header since <https://www.w3.org/TR/2012/WD-XMLHttpRequest-20121206/>.
+
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::setRequestHeader):
+ (WebCore::isForbiddenRequestHeader): Deleted.
+ (WebCore::XMLHttpRequest::isAllowedHTTPHeader): Deleted.
+ * xml/XMLHttpRequest.h:
+
2017-10-03 Commit Queue <[email protected]>
Unreviewed, rolling out r222686, r222695, and r222698.
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (222806 => 222807)
--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2017-10-03 20:51:00 UTC (rev 222806)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2017-10-03 20:55:59 UTC (rev 222807)
@@ -348,56 +348,6 @@
return method;
}
-static bool isForbiddenRequestHeader(const String& name)
-{
- HTTPHeaderName headerName;
- if (!findHTTPHeaderName(name, headerName))
- return false;
-
- switch (headerName) {
- case HTTPHeaderName::AcceptCharset:
- case HTTPHeaderName::AcceptEncoding:
- case HTTPHeaderName::AccessControlRequestHeaders:
- case HTTPHeaderName::AccessControlRequestMethod:
- case HTTPHeaderName::Connection:
- case HTTPHeaderName::ContentLength:
- case HTTPHeaderName::ContentTransferEncoding:
- case HTTPHeaderName::Cookie:
- case HTTPHeaderName::Cookie2:
- case HTTPHeaderName::Date:
- case HTTPHeaderName::DNT:
- case HTTPHeaderName::Expect:
- case HTTPHeaderName::Host:
- case HTTPHeaderName::KeepAlive:
- case HTTPHeaderName::Origin:
- case HTTPHeaderName::Referer:
- case HTTPHeaderName::TE:
- case HTTPHeaderName::Trailer:
- case HTTPHeaderName::TransferEncoding:
- case HTTPHeaderName::Upgrade:
- case HTTPHeaderName::UserAgent:
- case HTTPHeaderName::Via:
- return true;
-
- default:
- return false;
- }
-}
-
-bool XMLHttpRequest::isAllowedHTTPHeader(const String& name)
-{
- if (isForbiddenRequestHeader(name))
- return false;
-
- if (name.startsWith("proxy-", false))
- return false;
-
- if (name.startsWith("sec-", false))
- return false;
-
- return true;
-}
-
ExceptionOr<void> XMLHttpRequest::open(const String& method, const String& url)
{
// If the async argument is omitted, set async to true.
@@ -927,7 +877,7 @@
#if ENABLE(DASHBOARD_SUPPORT)
allowUnsafeHeaderField = usesDashboardBackwardCompatibilityMode();
#endif
- if (!allowUnsafeHeaderField && !isAllowedHTTPHeader(name)) {
+ if (!allowUnsafeHeaderField && isForbiddenHeaderName(name)) {
logConsoleError(scriptExecutionContext(), "Refused to set unsafe header \"" + name + "\"");
return { };
}
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.h (222806 => 222807)
--- trunk/Source/WebCore/xml/XMLHttpRequest.h 2017-10-03 20:51:00 UTC (rev 222806)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.h 2017-10-03 20:55:59 UTC (rev 222807)
@@ -106,7 +106,6 @@
// Expose HTTP validation methods for other untrusted requests.
static bool isAllowedHTTPMethod(const String&);
static String uppercaseKnownHTTPMethod(const String&);
- static bool isAllowedHTTPHeader(const String&);
enum class ResponseType { EmptyString, Arraybuffer, Blob, Document, Json, Text };
ExceptionOr<void> setResponseType(ResponseType);
