Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1601)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/xml/XMLHttpRequest.cpp

Issue 13979011: Block all scripts from setting unsafe headers in XMLHttpRequest (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fix line width. Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/xml/XMLHttpRequest.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/xml/XMLHttpRequest.cpp
diff --git a/Source/core/xml/XMLHttpRequest.cpp b/Source/core/xml/XMLHttpRequest.cpp
index 7ac3d25f622e78d82bc500de0708943fcbcb96b6..950b1a4078207a2d11252ef0c876d155afe727ea 100644
--- a/Source/core/xml/XMLHttpRequest.cpp
+++ b/Source/core/xml/XMLHttpRequest.cpp
@@ -449,6 +449,12 @@ bool XMLHttpRequest::isAllowedHTTPHeader(const String& name)
&& !name.startsWith(staticData->m_secHeaderPrefix, false);
}
+bool XMLHttpRequest::isLocallyAllowedHTTPHeader(const String& name)
+{
+ // Scripts that can load local resources can't set referer header.
+ return !equalIgnoringCase(name, "referer");
abarth-chromium 2013/04/25 00:30:57 What about Host and all the other sensitive HTTP h
meacer 2013/04/25 00:34:58 Per your comment below, looks like we don't need t
abarth-chromium 2013/04/25 03:28:10 Correct.
meacer 2013/04/25 17:43:21 Done.
+}
+
void XMLHttpRequest::open(const String& method, const KURL& url, ExceptionCode& ec)
{
open(method, url, true, ec);
@@ -921,12 +927,17 @@ void XMLHttpRequest::setRequestHeader(const AtomicString& name, const String& va
return;
}
- // A privileged script can set any headers.
+ // A privileged script can set any headers except for "referer".
if (!securityOrigin()->canLoadLocalResources() && !isAllowedHTTPHeader(name)) {
abarth-chromium 2013/04/25 00:30:57 IMHO, we should just remove canLoadLocalResources(
meacer 2013/04/25 00:34:58 So just to clarify, we'll have a single set of dis
abarth-chromium 2013/04/25 03:28:10 Correct.
meacer 2013/04/25 17:43:21 Done.
logConsoleError(scriptExecutionContext(), "Refused to set unsafe header \"" + name + "\"");
return;
}
+ if (securityOrigin()->canLoadLocalResources() && !isLocallyAllowedHTTPHeader(name)) {
+ logConsoleError(scriptExecutionContext(), "Refused to set unsafe header \"" + name + "\"");
+ return;
+ }
+
setRequestHeaderInternal(name, value);
}
« no previous file with comments | « Source/core/xml/XMLHttpRequest.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698