[Webkit-unassigned] [Bug 88139] The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 4 15:15:36 PDT 2012


--- Comment #11 from Alexey Proskuryakov <ap at webkit.org>  2012-06-04 15:15:35 PST ---
(From update of attachment 145633)
View in context: https://bugs.webkit.org/attachment.cgi?id=145633&action=review

> Source/WebCore/loader/CrossOriginAccessControl.cpp:152
>      // FIXME: Access-Control-Allow-Origin can contain a list of origins.
> -    RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString);
> -    if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin)) {
> +    if (accessControlOriginString != securityOrigin->toString()) {

I guess one way this could actually cause a compatibility regression is when Access-Control-Allow-Origin has a list of origins, which we used to mis-parse as a single one. In that case, scheme host and port could reasonably matched securityOrigin for the first item. So maybe we should address the FIXME now or very soon.

Is this relying on both accessControlOriginString and securityOrigin->toString() being lowercase? I cannot immediately see why they are.

> LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php:3
> -header("Access-Control-Allow-Origin:");
> +header("Access-Control-Allow-Origin:");

Hmm. So all tests using this script used to fail in Firefox?

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list