[Webkit-unassigned] [Bug 88139] The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 4 15:28:54 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=88139
--- Comment #12 from Pablo Flouret <pablof at motorola.com> 2012-06-04 15:28:53 PST ---
(In reply to comment #11)
> (From update of attachment 145633 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=145633&action=review
>
> > Source/WebCore/loader/CrossOriginAccessControl.cpp:152
> > // FIXME: Access-Control-Allow-Origin can contain a list of origins.
> > - RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString);
> > - if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin)) {
> > + if (accessControlOriginString != securityOrigin->toString()) {
>
> I guess one way this could actually cause a compatibility regression is when Access-Control-Allow-Origin has a list of origins, which we used to mis-parse as a single one. In that case, scheme host and port could reasonably matched securityOrigin for the first item. So maybe we should address the FIXME now or very soon.
>
Does SecurityOrigin::createFromString() create a valid origin for the first url if accessControlOriginString is a list? I assumed the FIXME meant that having a list of origins would just not work at all. I'll look into it.
> Is this relying on both accessControlOriginString and securityOrigin->toString() being lowercase? I cannot immediately see why they are.
>
The url used for the security origin is lowercased when the SecurityOrigin is created. And then the comparison is case-sensitive with the value of Access-Control-Allow-Origin. The test covers this, but i didn't realize the test is run from 127.0.0.1, hmm. Any suggestions?
> > LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php:3
> > -header("Access-Control-Allow-Origin: http://127.0.0.1:8000/");
> > +header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
>
> Hmm. So all tests using this script used to fail in Firefox?
Yes, it seems like it.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list