Bug 251936 - A Headers object with "request-no-cors" guard will accept non-safelisted headers with empty values
Summary: A Headers object with "request-no-cors" guard will accept non-safelisted head...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: BrowserCompat, InRadar
Depends on:
Blocks:
 
Reported: 2023-02-08 10:23 PST by Andreu Botella
Modified: 2023-02-09 09:01 PST (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreu Botella 2023-02-08 10:23:39 PST 
Per the fetch spec, if a Headers object has the "request-no-cors" guard, appending or setting a header will only succeed if the header is a no-CORS-safelisted request header (https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header), which only includes the `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` header names, and doesn't include all header values.

However, Webkit seems to accept any header as long as its value is the empty string.

A test for this is running the following code on the console:

const request = new Request("https://example.com", {mode: "no-cors"});
request.headers.append("X-Test", "fsdfsd");
request.headers.has("X-Test");  // false
request.headers.append("X-Test", "");
request.headers.has("X-Test");  // true

The last line prints false in Firefox and Chromium.
Comment 1 Andreu Botella 2023-02-08 10:48:15 PST 
Pull request: https://github.com/WebKit/WebKit/pull/9825
Comment 3 Radar WebKit Bug Importer 2023-02-08 22:16:05 PST 
<rdar://problem/105207779>
Comment 5 EWS 2023-02-09 09:01:02 PST 
Committed 260066@main (2fbadf6b9f23): <https://commits.webkit.org/260066@main>

Reviewed commits have been landed. Closing PR #9825 and removing active labels.