- From: Mark Nottingham <notifications@github.com>
- Date: Mon, 30 Jan 2017 20:38:58 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 31 January 2017 04:39:34 UTC
>From #416. Browsers seem to act upon partial response header blocks, which might introduce security issues. In particular, some will follow a redirect without getting the final separating `\n`, either upon a timeout or connection close. For example, given: > printf "HTTP/1.1 301 Redirect\nLocation: https://evil.com/\n" | nc -l -p 8002 -c Firefox 51 and Chrome 55 will redirect to `evil.com` upon connection close (`-c`). Safari 10 will also navigate to `evil.com` upon connection close, although there appears to be a timer or race condition; you have to omit `-c` and manually kill `nc` after the request is sent. HTTP talks about this [here](http://httpwg.org/specs/rfc7230.html#rfc.section.3.4): > If a response terminates in the middle of the header section (before the empty line is received) and the status code might rely on header fields to convey the full meaning of the response, then the client cannot assume that meaning has been conveyed; the client might need to repeat the request in order to determine what action to take next. cc @mcmanus -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/472
Received on Tuesday, 31 January 2017 04:39:34 UTC