Bug 161902

Summary: [Fetch API] Referrer and Origin header should not be considered as safe request headers
Product: WebKit Reporter: youenn fablet <youennf>
Component: WebCore Misc.Assignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, commit-queue, dbates, japhet
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 151937    
Bug Blocks:    
Attachments:
Description Flags
Patch none

youenn fablet
Reported 2016-09-13 04:06:47 PDT
As stated in https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Referrer and Origin are not safe request headers.
Attachments
Patch (26.42 KB, patch)
2016-09-13 05:26 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2016-09-13 04:07:20 PDT
As per fetch, these headers are set after preflighting.
youenn fablet
Comment 2 2016-09-13 05:26:41 PDT
Created attachment 288688 [details] Patch
Alex Christensen
Comment 3 2016-09-13 10:54:23 PDT
Comment on attachment 288688 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=288688&action=review > Source/WebCore/Modules/fetch/FetchLoader.cpp:96 > + if (referrer == "no-referrer") { Should this be a case-insensitive comparison? > Source/WebCore/Modules/fetch/FetchLoader.cpp:100 > + referrer = (referrer == "client") ? context.url().strippedForUseAsReferrer() : URL(context.url(), referrer).strippedForUseAsReferrer(); ditto
youenn fablet
Comment 4 2016-09-13 11:30:07 PDT
(In reply to comment #3) > Comment on attachment 288688 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=288688&action=review > > > Source/WebCore/Modules/fetch/FetchLoader.cpp:96 > > + if (referrer == "no-referrer") { > > Should this be a case-insensitive comparison? This is not necessary. > > Source/WebCore/Modules/fetch/FetchLoader.cpp:100 > > + referrer = (referrer == "client") ? context.url().strippedForUseAsReferrer() : URL(context.url(), referrer).strippedForUseAsReferrer(); > > ditto This is not necessary either. "client" is a string computed within FetchRequest when given parameter is about:client or ABOUT:client. We could add a test for different "about" casing, but this is not related to this patch. In another patch, as a small improvement, we could make fetch referrer as a structure instead of a string. That would allow to remove the need for string comparison.
WebKit Commit Bot
Comment 5 2016-09-16 00:35:53 PDT
Comment on attachment 288688 [details] Patch Clearing flags on attachment: 288688 Committed r206009: <http://trac.webkit.org/changeset/206009>
WebKit Commit Bot
Comment 6 2016-09-16 00:36:02 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.