[Webkit-unassigned] [Bug 66909] New: XMLHttpRequest method/header validation is not available for other untrusted HTTP requests.

Wed Aug 24 17:43:25 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=66909

           Summary: XMLHttpRequest method/header validation is not
                    available for other untrusted HTTP requests.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Platform
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: bbudge at gmail.com
                CC: ap at webkit.org, levin at chromium.org

Created an attachment (id=105104)
 --> (https://bugs.webkit.org/attachment.cgi?id=105104&action=review)
Preliminary patch, to get guidance from domain experts

It would be convenient if we could reuse the HTTP method / header restriction checks in XMLHttpRequest for other uses. Currently this logic is private. The obvious way to do this is to expose the validation checks as static methods on the class.

A problem with this is that a static HashSet is used to speed header field checks, and this is initialized in a complex way in the constructor. The attachment uses a static sorted array of c-strings instead, and uses binary search to determine if the field is forbidden. This requires a conversion of the UTF16 String to a UTF-8 c-string before checking.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.