[Webkit-unassigned] [Bug 66909] XMLHttpRequest method/header validation is not available for other untrusted HTTP requests.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 24 20:30:34 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66909
--- Comment #2 from David Levin <levin at chromium.org> 2011-08-24 20:30:34 PST ---
(From update of attachment 105104)
View in context: https://bugs.webkit.org/attachment.cgi?id=105104&action=review
I like the overall approach. I have a few misc comments that I happened to see.
I do wonder if these should be in XMLHttpRequest since the calls are for other untrusted HTTP requests.
> Source/WebCore/xml/XMLHttpRequest.cpp:5
> * Copyright (C) 2008 David Levin <levin at chromium.org>
You can remove this line. I put it there before I understood that we were to use "Google Inc." so the next line is better.
> Source/WebCore/xml/XMLHttpRequest.cpp:361
> +// This array must remain in lexicographical order for the binary search to work.
It would be good to write some debug code somewhere to verify that it is in order.
> Source/WebCore/xml/XMLHttpRequest.cpp:388
> + return strcmp((const char*) a, *(const char**) b);
Use C++ style casts.
> Source/WebCore/xml/XMLHttpRequest.cpp:393
> + void* forbidden = bsearch(name.utf8().data(), forbiddenHeaders, ARRAYSIZE_UNSAFE(forbiddenHeaders), sizeof(const char*), compareHeader);
It would feel better to me to express the sizeof in terms of forbiddenHeaders.
> Source/WebCore/xml/XMLHttpRequest.h:4
> + * Copyright (C) 2008, 2011 Google Inc. All rights reserved.
I don't know where the "2008., " comes from for this one.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list