Issue metadata
Sign in to add a comment
|
Basic headers longer then 128 chars on CORS request is throwing exceptions
Reported by
a...@ekdahls.net,
Dec 5
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 Steps to reproduce the problem: In latest version of chrome version 71.0.3578.80 any Accept header longer then 128 chars on CORS request is throwing exceptions. This includes simple headers that dosent make OPTIONS request such as Accept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5 if the Accept-Language is longer then 128 chars an exception is raised What is the expected behavior? Unlimited length of basic headers not triggering OPTIONS request What went wrong? Exception thrown Did this work before? Yes Stopped working in Version 71* worked in <70 Does this work in other browsers? Yes Chrome version: 71.0.3578.80 Channel: stable OS Version: 10.0 Flash Version:
,
Dec 6
,
Dec 6
+ awhalley@ (Security TPM)
,
Dec 6
It is not "simple" any more. See "If value’s length is greater than 128, then return false." in https://fetch.spec.whatwg.org/#cors-safelisted-request-header. The spec change is https://github.com/whatwg/fetch/commit/9288c8f85c809a0ac371be6843ad2cf4046ee35b. We did that to mitigate a security issue.
,
Dec 6
is this WontFix then?
,
Dec 7
I'm waiting for the reporter's feedback.
,
Dec 14
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmenke@chromium.org
, Dec 5Components: Blink>SecurityFeature>CORS