[Webkit-unassigned] [Bug 68032] New: Banned request headers sent in XHR calls to cross-domain targets
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 13 14:44:08 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68032
Summary: Banned request headers sent in XHR calls to
cross-domain targets
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
URL: http://iop4.nokia-boston.com/users/HTML5/xhrSecurity/t
ests/resources/manual.html
OS/Version: Linux
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebKit2
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: venkat.2.penukonda at nokia.com
CC: laszlo.1.gombos at nokia.com
1. Launch MiniBrowser browser and load:
http://iop4.nokia-boston.com/users/HTML5/xhrSecurity/tests/resources/manual.html
2. Click on each of the links of Link#7, Link#9 to Link#13
3. Result in each of the test pages show failure.
…
EXPECTED OUTCOME:
Should show Success
Details:
These tests try to detect if the banned headers are sent to a cross-domain
target in a XHR request. These headers are:
• Accept-Encoding
• Accept-Charset
• Accept-Language
• User-Agent
• Referer
• Host
These are not expected to be sent to a cross-domain target as per Browser security handbook at:
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list