[Webkit-unassigned] [Bug 251936] New: A Headers object with "request-no-cors" guard will accept non-safelisted headers with empty values
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 8 10:23:39 PST 2023
https://bugs.webkit.org/show_bug.cgi?id=251936
Bug ID: 251936
Summary: A Headers object with "request-no-cors" guard will
accept non-safelisted headers with empty values
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: abotella at igalia.com
Per the fetch spec, if a Headers object has the "request-no-cors" guard, appending or setting a header will only succeed if the header is a no-CORS-safelisted request header (https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header), which only includes the `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` header names, and doesn't include all header values.
However, Webkit seems to accept any header as long as its value is the empty string.
A test for this is running the following code on the console:
const request = new Request("https://example.com", {mode: "no-cors"});
request.headers.append("X-Test", "fsdfsd");
request.headers.has("X-Test"); // false
request.headers.append("X-Test", "");
request.headers.has("X-Test"); // true
The last line prints false in Firefox and Chromium.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230208/af0efb61/attachment.htm>
More information about the webkit-unassigned
mailing list