[Webkit-unassigned] [Bug 88139] New: The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests

Fri Jun 1 14:59:35 PDT 2012

https://bugs.webkit.org/show_bug.cgi?id=88139

           Summary: The value in Access-Control-Allow-Origin is not being
                    matched correctly for CORS-enabled requests
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
               URL: http://www.w3c-test.org/webappsec/tests/cors/submitted
                    /opera/js/origin.htm
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: pablof at motorola.com
                CC: abarth at webkit.org

Step 3 of the resource sharing check algorithm in http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check says:
[[
3. If the value of Access-Control-Allow-Origin is not a case-sensitive match for the value of the Origin header as defined by its specification, return fail and terminate this algorithm.
]]

Right now the value in Access-Control-Allow-Origin is compared via SecurityOrigin::isSameSchemeHostPort(), so the url is parsed and (i presume) normalized.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.