[webkit-reviews] review denied: [Bug 63460] CORS should only deal with request headers set by script authors : [Attachment 98735] proposed patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 27 13:03:05 PDT 2011
Alexey Proskuryakov <ap at webkit.org> has denied Per-Erik Brodin
<per-erik.brodin at ericsson.com>'s request for review:
Bug 63460: CORS should only deal with request headers set by script authors
https://bugs.webkit.org/show_bug.cgi?id=63460
Attachment 98735: proposed patch
https://bugs.webkit.org/attachment.cgi?id=98735&action=review
------- Additional Comments from Alexey Proskuryakov <ap at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=98735&action=review
The implementation cannot work on Mac, because header status will be lost after
a round-trip through NSURLRequest (or any other HTTP library request object).
WebKit needs this round-trip because it has delegate methods where it informs
client applications about requests that are about to be made.
ResourceRequest is ah HTTP level notion, and it shouldn't have any knowledge of
Web platform concepts.
Secondly, when we talk about author vs. implementation, where do headers added
by client applications fit? It kind of sounds like it's "implementation", but
we can't know if those applications use untrusted content to decide which
headers to add.
> LayoutTests/ChangeLog:6
> + CORS should only deal with request headers set by script authors.
> + https://bugs.webkit.org/show_bug.cgi?id=63460
That's an interesting idea, although it seems somewhat questionable to me. The
design principle use to be to avoid hitting servers with anything they couldn't
be hit with through form submission, and the new rule deviates from that pretty
far.
> Source/WebCore/platform/network/ResourceRequestBase.h:47
> + enum ResourceRequestHeaderStatus {
Naming nit: I would have liked something like "origination" or "source" more
than "status".
More information about the webkit-reviews
mailing list