[Webkit-unassigned] [Bug 36854] New: Body from preflighted Cross-Origin request is prepended to the actual request body
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 30 14:42:58 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=36854
Summary: Body from preflighted Cross-Origin request is
prepended to the actual request body
Product: WebKit
Version: 528+ (Nightly build)
Platform: Macintosh Intel
URL: http://jbei-exwebapp.lbl.gov/maschup/webkit_xdr_bug.ht
ml
OS/Version: Mac OS X 10.5
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: hirenj at gmail.com
For a pre-flighted request (triggered for example when the X-Requested-With
header is set), any data returned by the preflight request is prepended to the
actual request data.
In the given url, a cross-domain request is triggered to a simple echo
resource. The output for this resource is static, and sets the Access control
headers to enable cross-origin requests:
curl -i 'http://131.243.44.83/maschup/webkit_xdr_bug.pl'
HTTP/1.1 200 OK
Date: Tue, 30 Mar 2010 21:34:50 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch
Access-control-allow-headers: X-Requested-With
Access-control-max-age: 1728000
Access-control-allow-origin: *
Access-control-allow-methods: *
Vary: Accept-Encoding
Content-Length: 4
Content-Type: text/plain
echo
The output from this echo script is always static, and always returns the
Access-Control headers.
When a cross-domain request is triggered from within a recent webkit (i.e.
nightly webkit, or Chrome), the responseText contains the body from the
preflight request as well as the body from the actual request.
This can be seen at the page given in the URL
(http://jbei-exwebapp.lbl.gov/maschup/webkit_xdr_bug.html).
The HTTP specifications don't seem to say what the user-agent should do with
the body of the request. Firefox (3.6.2) returns only the body from the actual
request, and Safari (4.0.5 (5531.22.7) OS X 10.5) also returns only the body
from the actual request.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list