[Webkit-unassigned] [Bug 88139] The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 4 15:28:54 PDT 2012


--- Comment #12 from Pablo Flouret <pablof at motorola.com>  2012-06-04 15:28:53 PST ---
(In reply to comment #11)
> (From update of attachment 145633 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=145633&action=review
> > Source/WebCore/loader/CrossOriginAccessControl.cpp:152
> >      // FIXME: Access-Control-Allow-Origin can contain a list of origins.
> > -    RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString);
> > -    if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin)) {
> > +    if (accessControlOriginString != securityOrigin->toString()) {
> I guess one way this could actually cause a compatibility regression is when Access-Control-Allow-Origin has a list of origins, which we used to mis-parse as a single one. In that case, scheme host and port could reasonably matched securityOrigin for the first item. So maybe we should address the FIXME now or very soon.

Does SecurityOrigin::createFromString() create a valid origin for the first url if accessControlOriginString is a list? I assumed the FIXME meant that having a list of origins would just not work at all. I'll look into it.

> Is this relying on both accessControlOriginString and securityOrigin->toString() being lowercase? I cannot immediately see why they are.

The url used for the security origin is lowercased when the SecurityOrigin is created. And then the comparison is case-sensitive with the value of Access-Control-Allow-Origin. The test covers this, but i didn't realize the test is run from, hmm. Any suggestions?

> > LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php:3
> > -header("Access-Control-Allow-Origin:");
> > +header("Access-Control-Allow-Origin:");
> Hmm. So all tests using this script used to fail in Firefox?

Yes, it seems like it.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list