[webkit-reviews] review granted: [Bug 188644] Implement further CORS restrictions : [Attachment 364199] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Mar 10 15:22:03 PDT 2019

Darin Adler <darin at apple.com> has granted Rob Buis <rbuis at igalia.com>'s request
for review:
Bug 188644: Implement further CORS restrictions

Attachment 364199: Patch


--- Comment #4 from Darin Adler <darin at apple.com> ---
Comment on attachment 364199
  --> https://bugs.webkit.org/attachment.cgi?id=364199

View in context: https://bugs.webkit.org/attachment.cgi?id=364199&action=review

> Source/WebCore/ChangeLog:26
> +	   (WebCore::isCrossOriginSafeRequestHeader): check that header length
is less than 128

Code checks for <= 128, but this says < 128. Which is it? Would be nice to have
a test that is exactly at the maximum length and another that is exactly one
more than the maximum length.

> Source/WebCore/Modules/fetch/FetchHeaders.cpp:59
> +	       combinedValue = makeString(headers.get(name), ", ",

Unfortunate that we need to do this concatenation work both here and inside
HTTPHeaderMap::add. Wasteful because we compute the same string twice. Also
breaks encapsulation since the ", " separator is now here as well as in the
HTTPHeaderMap class. Would be nice to find some way to avoid those problems
will still fixing this.

> Source/WebCore/platform/network/HTTPParsers.cpp:882
> +    return value.length() <= 128;

Why not put this check first? Then we wouldn’t need to make those other
changes. Also needs a brief "why" comment, I think. Not obvious that a 129
character string isn’t safe, but easy to explain with a reference to where that
rule is defined, or even just an "its a rule" remark.

More information about the webkit-reviews mailing list