[Webkit-unassigned] [Bug 66909] New: XMLHttpRequest method/header validation is not available for other untrusted HTTP requests.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 24 17:43:25 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66909
Summary: XMLHttpRequest method/header validation is not
available for other untrusted HTTP requests.
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Platform
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: bbudge at gmail.com
CC: ap at webkit.org, levin at chromium.org
Created an attachment (id=105104)
--> (https://bugs.webkit.org/attachment.cgi?id=105104&action=review)
Preliminary patch, to get guidance from domain experts
It would be convenient if we could reuse the HTTP method / header restriction checks in XMLHttpRequest for other uses. Currently this logic is private. The obvious way to do this is to expose the validation checks as static methods on the class.
A problem with this is that a static HashSet is used to speed header field checks, and this is initialized in a complex way in the constructor. The attachment uses a static sorted array of c-strings instead, and uses binary search to determine if the field is forbidden. This requires a conversion of the UTF16 String to a UTF-8 c-string before checking.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list