[Webkit-unassigned] [Bug 88139] The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 4 17:46:59 PDT 2012


https://bugs.webkit.org/show_bug.cgi?id=88139





--- Comment #15 from Pablo Flouret <pablof at motorola.com>  2012-06-04 17:46:58 PST ---
(In reply to comment #11)
> (From update of attachment 145633 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=145633&action=review
> 
> > Source/WebCore/loader/CrossOriginAccessControl.cpp:152
> >      // FIXME: Access-Control-Allow-Origin can contain a list of origins.
> > -    RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString);
> > -    if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin)) {
> > +    if (accessControlOriginString != securityOrigin->toString()) {
> 
> I guess one way this could actually cause a compatibility regression is when Access-Control-Allow-Origin has a list of origins, which we used to mis-parse as a single one. In that case, scheme host and port could reasonably matched securityOrigin for the first item. So maybe we should address the FIXME now or very soon.

This indeed happens, but i can't think of any examples of a list of urls that is interpreted as a single url and should still work with the spec as it stands now.

The only one example i can think of that comes close would be something like "http://localhost:8000/ http://example.org". But even if we parsed the list correctly, the trailing slash would be there and it wouldn't match.

Can you think of a problematic example?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list