[Webkit-unassigned] [Bug 272740] New: NUL bytes in header values allowed for fetch-API

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 16 03:57:17 PDT 2024


            Bug ID: 272740
           Summary: NUL bytes in header values allowed for fetch-API
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jannis.rautenstrauch at cispa.de

Fetching a resource that contains a NUL byte in a header value using the fetch API does not result in an error in WebKit and even things such as HSTS work on such responses.
Firefox and Chromium throw a network error for such cases.

Example response: `strict-transport-security: max-age=20; in\u0000cludeSubDomains`
Example URL: http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=parsing&browser_id=1&label=HSTS&first_id=32575&last_id=32575&scheme=http&t_resp_id=32575&t_element_relation=direct_direct&t_resp_origin=https://sub.headers.websec.saarland

Seems to only be happening for `fetch`, img responses with \x00 in a header value seem to be blocked: https://bugs.webkit.org/show_bug.cgi?id=272739

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240416/ed7ae336/attachment-0001.htm>

More information about the webkit-unassigned mailing list