[Webkit-unassigned] [Bug 66909] XMLHttpRequest method/header validation is not available for other untrusted HTTP requests.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 25 11:26:35 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66909
--- Comment #9 from Alexey Proskuryakov <ap at webkit.org> 2011-08-25 11:26:34 PST ---
(From update of attachment 105223)
View in context: https://bugs.webkit.org/attachment.cgi?id=105223&action=review
Seems fine in general. However, since this patch only exposes existing functionality, the bar should be pretty high on how well it's exposed, particularly in regards to naming.
> Source/WebCore/xml/XMLHttpRequest.h:115
> + static bool isValidToken(const String&);
This method has nothing to do with XHR, it's pure HTTP. If it needs to be exposed, it should go into a new header in platform/network.
> Source/WebCore/xml/XMLHttpRequest.h:116
> + static bool isSafeMethod(const String&);
This needs a better name. Safe in what sense? There is nothing safe on the Internet.
> Source/WebCore/xml/XMLHttpRequest.h:117
> + static String canonicalizeMethod(const String&);
This really needs a better name - "canonicalize" does not tell the reader anything about what's going to happen when it's not defined in relevant specs. It could as well be "transmogrify"!
> Source/WebCore/xml/XMLHttpRequest.h:118
> + static bool isSafeRequestHeader(const String&);
Same comment about "safe".
> Source/WebCore/xml/XMLHttpRequest.h:119
> + static bool isValidHeaderValue(const String&);
This method also has nothing to do with XHR, and shouldn't be exposed from here.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list