Whitespace is not trimmed from multiple Referrer-Policy header field values |
||
Issue descriptionSecurityPolicy::referrerPolicyFromHeaderValue() does not trim whitespace from the comma-split tokens. So a header of Referrer-Policy: no-referrer, origin will be treated as no-referrer; the second token is parsed as " origin" and does not match a valid policy. Per https://tools.ietf.org/html/rfc2616#section-4.2 I *think* the above should be allowed, and we should be trimming whitespace from each token.
,
Mar 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0573ada970c3acde0fcc51bf5f7a5c9be9e7629c commit 0573ada970c3acde0fcc51bf5f7a5c9be9e7629c Author: estark <estark@chromium.org> Date: Wed Mar 08 01:44:43 2017 Trim whitespace from Referrer-Policy tokens This will allow Chrome to accept headers such as the following: Referrer-Policy: origin, no-referrer which would previously result in a RP of 'origin', since " no-referrer" would match any valid policy. BUG= 698813 TEST=https://github.com/w3c/web-platform-tests/pull/5054 Review-Url: https://codereview.chromium.org/2733943002 Cr-Commit-Position: refs/heads/master@{#455331} [modify] https://crrev.com/0573ada970c3acde0fcc51bf5f7a5c9be9e7629c/third_party/WebKit/Source/platform/weborigin/SecurityPolicy.cpp
,
Mar 13 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by est...@chromium.org
, Mar 6 2017