New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 642346 link

Starred by 1 user
Status: Verified
Owner:
tyoshino@chromium.org
Leaves the project on 2018/03/02
Closed: Sep 2016
Cc:
mkwst@chromium.org
igrigo...@chromium.org
jww@chromium.org
mmenke@chromium.org
annevank...@gmail.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

XHR POST cross-origin media type check ignores whitespace

Reported by julian.r...@googlemail.com, Aug 30 2016 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.80 Safari/537.36

Example URL:

Steps to reproduce the problem:
Apparently, when checking the content-type for simple requests, whitespace *inside* the Content-Type header field value is ignored.

That is, a content-type of

  "text/plai n"

is treated just like

  "text/plain".

(and the latter is sent over the wire).

What is the expected behavior?
The field value should either be used as specified (causing a preflight), or the request could be rejected due to the media type being syntactially incorrect.

What went wrong?
Apparently there's over-eager fied value normalization happening.

Did this work before? N/A 

Chrome version: 53.0.2785.80  Channel: beta
OS Version: 10.0
Flash Version:

Comment 1 by annevank...@gmail.com, Aug 30 2016

Cc: annevank...@gmail.com

Comment 2 by mmenke@chromium.org, Aug 30 2016

Cc: jww@chromium.org mkwst@chromium.org mmenke@chromium.org
Components: -Internals>Network Blink>SecurityFeature
I'm not an expert on CORS, but aren't preflights only sent before requests are issued?  (i.e., not after we've sent the request and gotten the mime type).

Skimming over the code, does not look to me like out mime sniffy should trigger on this case.

Comment 3 Deleted

Comment 4 by igrigo...@chromium.org, Aug 31 2016

Cc: igrigo...@chromium.org

Comment 5 by julian.r...@googlemail.com, Aug 31 2016 

It's about the media type on the *request* (set through XHR), not the *response*. See example in <https://issues.apache.org/jira/browse/JCR-4002?focusedCommentId=15418909&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15418909>.

Comment 6 by mkwst@chromium.org, Aug 31 2016

Components: Blink>Network>XHR
Labels: Security_Impact-Stable Security_Severity-Low OS-Android OS-Chrome OS-Linux OS-Mac
Owner: tyoshino@chromium.org
Yeah, this looks like an issue in our XHR implementation. I agree that `xhr.setRequestHeader("Content-Type", "text/p laiN");` should force a preflight, as the content type is no longer simple.

tyoshino@, would you mind either taking a look at this yourself, or delegating to someone to poke at it? It looks like it's failing in 52 as well, so this has probably been around for a while.

Comment 7 by candr...@chromium.org, Aug 31 2016

Status: Assigned (was: Unconfirmed)

Comment 8 by tyoshino@chromium.org, Sep 2 2016 

This is a long-lived bug in extractMIMETypeFromMediaType(). Reading https://bugs.webkit.org/show_bug.cgi?id=8644, I think it's not at all controversial but just didn't get change to get fixed.

I'll fix it.

Comment 9 by tyoshino@chromium.org, Sep 5 2016

Status: Started (was: Assigned)
https://codereview.chromium.org/2310783003/
Project Member

Comment 10 by bugdroid1@chromium.org, Sep 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7e8584afcaa263a69c49a36e9380bc7a715e2284

commit 7e8584afcaa263a69c49a36e9380bc7a715e2284
Author: tyoshino <tyoshino@chromium.org>
Date: Tue Sep 06 05:27:22 2016

Stop ignoring whitespaces in the middle of MIME type in a Content-Type header

extractMIMETypeFromMediaType() has been treating \n (0x0a), \v (0x0b),
\f (0x0c), \r (0x0d) and Unicode characters with BIDI property WS as
white space in addition to the OWS characters SP (0x20) and HTAB (0x09).
These characters were trimmed not only from the head and tail of the
type/subtype part but also from the middle of the value, i.e. when
"te xt/ht ml" is received it's automatically normalized into
"text/html".

This CL fixes this spec violation partially by:
- limiting characters which are dealt with as whitespaces to only SP
  and HTAB as specified in the RFC 7230
- stop trimming white space characters (including SP and HTAB) from the
  middle of type/subtype value

We don't add full ABNF validation to drop everything that doesn't
conform to the media-type ABNF as we're not sure how much the result
of such strict fixing would be.

See also https://bugs.webkit.org/show_bug.cgi?id=8644

R=mkwst@chromium.org
BUG= 642346 

Review-Url: https://codereview.chromium.org/2310783003
Cr-Commit-Position: refs/heads/master@{#416586}

[modify] https://crrev.com/7e8584afcaa263a69c49a36e9380bc7a715e2284/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/supported-xml-content-types-invalid-1-expected.txt
[modify] https://crrev.com/7e8584afcaa263a69c49a36e9380bc7a715e2284/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/supported-xml-content-types-invalid-1.html
[modify] https://crrev.com/7e8584afcaa263a69c49a36e9380bc7a715e2284/third_party/WebKit/Source/platform/network/HTTPParsers.cpp
[modify] https://crrev.com/7e8584afcaa263a69c49a36e9380bc7a715e2284/third_party/WebKit/Source/platform/network/HTTPParsers.h
[modify] https://crrev.com/7e8584afcaa263a69c49a36e9380bc7a715e2284/third_party/WebKit/Source/platform/network/HTTPParsersTest.cpp

Comment 11 by tyoshino@chromium.org, Sep 6 2016

Labels: M-55
Status: Fixed (was: Started)

Comment 12 by abod...@chromium.org, Dec 9 2016

Status: Verified (was: Fixed)

Sign in to add a comment