Bug 251936

Summary: A Headers object with "request-no-cors" guard will accept non-safelisted headers with empty values
Product: WebKit Reporter: Andreu Botella <abotella>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, annevk, karlcow, webkit-bug-importer, wilander, youennf
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://github.com/web-platform-tests/wpt/pull/38431

Description Andreu Botella 2023-02-08 10:23:39 PST 
Per the fetch spec, if a Headers object has the "request-no-cors" guard, appending or setting a header will only succeed if the header is a no-CORS-safelisted request header (https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header), which only includes the `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` header names, and doesn't include all header values.

However, Webkit seems to accept any header as long as its value is the empty string.

A test for this is running the following code on the console:

const request = new Request("https://example.com", {mode: "no-cors"});
request.headers.append("X-Test", "fsdfsd");
request.headers.has("X-Test");  // false
request.headers.append("X-Test", "");
request.headers.has("X-Test");  // true

The last line prints false in Firefox and Chromium.
Comment 1 Andreu Botella 2023-02-08 10:48:15 PST 
Pull request: https://github.com/WebKit/WebKit/pull/9825
Comment 3 Radar WebKit Bug Importer 2023-02-08 22:16:05 PST 
<rdar://problem/105207779>
Comment 5 EWS 2023-02-09 09:01:02 PST 
Committed 260066@main (2fbadf6b9f23): <https://commits.webkit.org/260066@main>

Reviewed commits have been landed. Closing PR #9825 and removing active labels.