[Webkit-unassigned] [Bug 165178] New: Require preflight for non-standard CORS-safelisted request headers Accept, Accept-Language, and Content-Language
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 29 17:33:58 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=165178
Bug ID: 165178
Summary: Require preflight for non-standard CORS-safelisted
request headers Accept, Accept-Language, and
Content-Language
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: wilander at apple.com
Fetch currently only restricts the header Content-Type for simple requests: https://fetch.spec.whatwg.org/#cors-safelisted-request-header
This means simple CORS requests can send unexpected characters in Accept, Accept-Language, and Content-Language header values.
RFC 7231 implies restrictions on these header values:
Accept https://tools.ietf.org/html/rfc7231#section-5.3.2
Accept-Language https://tools.ietf.org/html/rfc7231#section-5.3.5
Content-Language https://tools.ietf.org/html/rfc7231#section-3.1.3.2
As per discussions in the W3C WebAppSec group we should try to restrict these header values to help protect servers that do not expect simple CORS requests.
Non-standard header values should trigger a preflight and require the headers to be whitelisted in the response's Access-Control-Allow-Headers.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161130/0d66d56c/attachment.html>
More information about the webkit-unassigned
mailing list