[Webkit-unassigned] [Bug 68032] New: Banned request headers sent in XHR calls to cross-domain targets

Tue Sep 13 14:44:08 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=68032

           Summary: Banned request headers sent in XHR calls to
                    cross-domain targets
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://iop4.nokia-boston.com/users/HTML5/xhrSecurity/t
                    ests/resources/manual.html
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit2
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: venkat.2.penukonda at nokia.com
                CC: laszlo.1.gombos at nokia.com

1. Launch MiniBrowser browser and load: 
http://iop4.nokia-boston.com/users/HTML5/xhrSecurity/tests/resources/manual.html
2. Click on each of the links of Link#7, Link#9 to Link#13
3. Result in each of the test pages show failure.
…

EXPECTED OUTCOME:
Should show Success

Details:
These tests try to detect if the banned headers are sent to a cross-domain
target in a XHR request. These headers are:
•    Accept-Encoding
•    Accept-Charset
•    Accept-Language
•    User-Agent
•    Referer
•    Host
These are not expected to be sent to a cross-domain target as per Browser security handbook at:
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.