[CORS] Reject an Access-Control-Expose-Headers header that doesn't conform to the ABNF |
||||
Issue descriptionTest: https://github.com/w3c/web-platform-tests/pull/6000. In https://bugzilla.mozilla.org/show_bug.cgi?id=1364598 it was discovered that only Firefox handles this correctly out of the four browser engines. We'd appreciate if you could fix this. If you don't feel like you could fix this, please propose a change to the Fetch standard (and what change you'd like that to be) instead.
,
May 23 2017
ParseAccessControlExposeHeadersAllowList() must be fixed to validate the input against the ABNF. https://fetch.spec.whatwg.org/#http-new-header-syntax
,
May 23 2017
,
May 23 2017
,
May 25 2017
yhirano@ found a spec issue during code review. Filed as https://github.com/whatwg/fetch/issues/548
,
May 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2094591b5e7cd1fc31f288817608e218ce149947 commit 2094591b5e7cd1fc31f288817608e218ce149947 Author: Takeshi Yoshino <tyoshino@chromium.org> Date: Thu May 25 04:24:30 2017 Validate ABNF when parsing an Access-Control-Expose-Headers CORS header value Bug: 724452 Change-Id: I1bd90194abd2c9eccd28bcdf48f6a226b694ac92 Reviewed-on: https://chromium-review.googlesource.com/512462 Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Takeshi Yoshino <tyoshino@chromium.org> Cr-Commit-Position: refs/heads/master@{#474548} [modify] https://crrev.com/2094591b5e7cd1fc31f288817608e218ce149947/third_party/WebKit/Source/platform/loader/DEPS [modify] https://crrev.com/2094591b5e7cd1fc31f288817608e218ce149947/third_party/WebKit/Source/platform/loader/fetch/CrossOriginAccessControl.cpp [modify] https://crrev.com/2094591b5e7cd1fc31f288817608e218ce149947/third_party/WebKit/Source/platform/loader/fetch/CrossOriginAccessControlTest.cpp
,
May 25 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by phistuck@chromium.org
, May 19 2017Status: Untriaged (was: Unconfirmed)