[webappsec-testsuite] CORS tests and null bytes in origin from Hill, Brad on 2013-04-13 (public-webappsec-testsuite@w3.org from April 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Sat, 13 Apr 2013 22:12:20 +0000
To: "public-webappsec-testsuite@w3.org" <public-webappsec-testsuite@w3.org>
CC: Odin Hørthe Omdal (odinho@opera.com) <odinho@opera.com>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E279B8CA4@DEN-EXDDA-S12.corp.ebay.com>

There are a number of tests checked in for CORS in submitted/opera/origin.html that fail on all browsers.  These tests insert a null byte ("\0") into the origin string and expect a failure which does not happen.  It appears the browsers all strip the null bytes and implicitly create a well-formed origin.

Odin, you're the author of the spec - are these valid cases or should they be removed since there appears to be uniformity in ignoring/stripping null bytes? 

Thanks,

Brad

Received on Saturday, 13 April 2013 22:12:48 UTC