Block all scripts from setting unsafe headers in XMLHttpRequest

Source/core/xml/XMLHttpRequest.cpp

 /*
  *  Copyright (C) 2004, 2006, 2008 Apple Inc. All rights reserved.
  *  Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org>
  *  Copyright (C) 2007, 2008 Julien Chaffraix <jchaffraix@webkit.org>
  *  Copyright (C) 2008, 2011 Google Inc. All rights reserved.
  *  Copyright (C) 2012 Intel Corporation
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
  *  License as published by the Free Software Foundation; either
@@ skipping 431 matching lines @@
     return method;
 }
 
 bool XMLHttpRequest::isAllowedHTTPHeader(const String& name)
 {
     initializeXMLHttpRequestStaticData();
     return !staticData->m_forbiddenRequestHeaders.contains(name) && !name.startsWith(staticData->m_proxyHeaderPrefix, false)
         && !name.startsWith(staticData->m_secHeaderPrefix, false);
 }
 
+bool XMLHttpRequest::isLocallyAllowedHTTPHeader(const String& name)
+{
+    // Scripts that can load local resources can't set referer header.
+    return !equalIgnoringCase(name, "referer");

[abarth-chromium, 2013/04/25 00:30:57]

What about Host and all the other sensitive HTTP headers?

[meacer, 2013/04/25 00:34:58]

Per your comment below, looks like we don't need this method at all?

[abarth-chromium, 2013/04/25 03:28:10]

Correct.

[meacer, 2013/04/25 17:43:21]

Done.

+}
+
 void XMLHttpRequest::open(const String& method, const KURL& url, ExceptionCode& ec)
 {
     open(method, url, true, ec);
 }
 
 void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionCode& ec)
 {
     internalAbort();
     State previousState = m_state;
     m_state = UNSENT;
@@ skipping 452 matching lines @@
     if (m_state != OPENED || m_loader) {
         ec = INVALID_STATE_ERR;
         return;
     }
 
     if (!isValidHTTPToken(name) || !isValidHTTPHeaderValue(value)) {
         ec = SYNTAX_ERR;
         return;
     }
 
-    // A privileged script can set any headers.
+    // A privileged script can set any headers except for "referer".
     if (!securityOrigin()->canLoadLocalResources() && !isAllowedHTTPHeader(name)) {

[abarth-chromium, 2013/04/25 00:30:57]

IMHO, we should just remove canLoadLocalResources() from this line.  There's no
reason why being able to load local resources should let you set the dangerous
HTTP headers.

[meacer, 2013/04/25 00:34:58]

So just to clarify, we'll have a single set of disallowed headers among all
schemes, which means I won't need isLocallyAllowedHTTPHeader too. Is that
correct?

[abarth-chromium, 2013/04/25 03:28:10]

Correct.

[meacer, 2013/04/25 17:43:21]

Done.

         logConsoleError(scriptExecutionContext(), "Refused to set unsafe header \"" + name + "\"");
         return;
     }
 
+    if (securityOrigin()->canLoadLocalResources() && !isLocallyAllowedHTTPHeader(name)) {
+        logConsoleError(scriptExecutionContext(), "Refused to set unsafe header \"" + name + "\"");
+        return;
+    }
+
     setRequestHeaderInternal(name, value);
 }
 
 void XMLHttpRequest::setRequestHeaderInternal(const AtomicString& name, const String& value)
 {
     HTTPHeaderMap::AddResult result = m_requestHeaders.add(name, value);
     if (!result.isNewEntry)
         result.iterator->value.append(", " + value);
 }
 
@@ skipping 350 matching lines @@
     info.addMember(m_responseDocument, "responseDocument");
     info.addMember(m_binaryResponseBuilder, "binaryResponseBuilder");
     info.addMember(m_responseArrayBuffer, "responseArrayBuffer");
     info.addMember(m_lastSendURL, "lastSendURL");
     info.addMember(m_eventTargetData, "eventTargetData");
     info.addMember(m_progressEventThrottle, "progressEventThrottle");
     info.addMember(m_securityOrigin, "securityOrigin");
 }
 
 } // namespace WebCore