[Webkit-unassigned] [Bug 88139] New: The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 1 14:59:35 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=88139
Summary: The value in Access-Control-Allow-Origin is not being
matched correctly for CORS-enabled requests
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
URL: http://www.w3c-test.org/webappsec/tests/cors/submitted
/opera/js/origin.htm
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: pablof at motorola.com
CC: abarth at webkit.org
Step 3 of the resource sharing check algorithm in http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check says:
[[
3. If the value of Access-Control-Allow-Origin is not a case-sensitive match for the value of the Origin header as defined by its specification, return fail and terminate this algorithm.
]]
Right now the value in Access-Control-Allow-Origin is compared via SecurityOrigin::isSameSchemeHostPort(), so the url is parsed and (i presume) normalized.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list