Bug 251936

Summary: A Headers object with "request-no-cors" guard will accept non-safelisted headers with empty values
Product: WebKit Reporter: Andreu Botella <abotella>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, annevk, karlcow, webkit-bug-importer, wilander, youennf
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://github.com/web-platform-tests/wpt/pull/38431

Andreu Botella
Reported 2023-02-08 10:23:39 PST
Per the fetch spec, if a Headers object has the "request-no-cors" guard, appending or setting a header will only succeed if the header is a no-CORS-safelisted request header (https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header), which only includes the `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` header names, and doesn't include all header values. However, Webkit seems to accept any header as long as its value is the empty string. A test for this is running the following code on the console: const request = new Request("https://example.com", {mode: "no-cors"}); request.headers.append("X-Test", "fsdfsd"); request.headers.has("X-Test"); // false request.headers.append("X-Test", ""); request.headers.has("X-Test"); // true The last line prints false in Firefox and Chromium.
Attachments
Add attachment proposed patch, testcase, etc.
Andreu Botella
Comment 1 2023-02-08 10:48:15 PST
Pull request: https://github.com/WebKit/WebKit/pull/9825
Radar WebKit Bug Importer
Comment 3 2023-02-08 22:16:05 PST
<rdar://problem/105207779>
EWS
Comment 5 2023-02-09 09:01:02 PST
Committed 260066@main (2fbadf6b9f23): <https://commits.webkit.org/260066@main> Reviewed commits have been landed. Closing PR #9825 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.