- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 11 Apr 2018 04:19:12 -0700
- To: whatwg/xhr <xhr@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 11 April 2018 11:19:35 UTC
@bencebeky thanks for the quick reply! I think the main problem with Chrome's behavior at the moment is that it strips 0x00 from header values. It doesn't reject anything. http://w3c-test.org/xhr/headers-normalize-response.htm was added in https://bugzilla.mozilla.org/show_bug.cgi?id=1277019 and apparently Safari also passes all tests. >From that bug it seems this was already tested in http://w3c-test.org/cors/allow-headers.htm which reveals some minor security implications. (Disregarding the response or response header would also work for that specific case.) The simplest solution based on this is probably accepting that response header values can contain 0x00 (at least when going over the network, no need to add support for this to `Response` objects and such). Rejecting headers or responses that have headers whose values contain 0x00 seems more involved (as it would require changing all clients), but doable if there's enough willingness. (I also looked at Edge and it simply seems to hang on loading the page, which doesn't seem great. @travisleithead you might want to look at that.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/xhr/issues/165#issuecomment-380416906
Received on Wednesday, 11 April 2018 11:19:35 UTC