[Webkit-unassigned] [Bug 63460] CORS should only deal with request headers set by script authors

Mon Aug 22 11:40:53 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=63460

David Levin <levin at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|levin at chromium.org          |webkit-unassigned at lists.web
                   |                            |kit.org
         Depends on|66340                       |

--- Comment #18 from David Levin <levin at chromium.org>  2011-08-22 11:40:52 PST ---
(In reply to comment #12)
> (In reply to comment #8)
> > Created an attachment (id=104586)
 --> (https://bugs.webkit.org/attachment.cgi?id=104586&action=review) [details] [details]
> > Patch
> 
> What about request headers set by the implementation that are not in UserAgentHeaderData such as Cache-Control and Last-Event-ID set by EventSource? Those headers should trigger preflight when set by authors using XHR and thus can't be added to the list. That's why I tried to keep track of which headers that are actually set by the implementation and which are set by the author.

I don't think that keeping track of headers sent by the author and headers set by the implementation is the correct way of thinking about the problem.

imo, instead one should think of what headers to whitelist. It really doesn't matter how they are set if the request could do malicious things on the server which seems to be the real purpose of deciding whether to do a preflight request or not.

Regardless, I've withdrawn this patch to allow anyone else to take it up as they see fit.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.