Re: [webappsec-testsuite] CORS tests and null bytes in origin from Odin Hørthe Omdal on 2013-04-13 (public-webappsec-testsuite@w3.org from April 2013)

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Sun, 14 Apr 2013 01:17:50 +0200
To: public-webappsec-testsuite@w3.org
Cc: annevk@annevk.nl
Message-Id: <1365895070.25228.140661217401894.7B783C8B@webmail.messagingengine.com>

On Sun, Apr 14, 2013, at 0:12, Hill, Brad wrote:
> There are a number of tests checked in for CORS in
> submitted/opera/origin.html that fail on all browsers.  These tests
> insert a null byte ("\0") into the origin string and expect a failure
> which does not happen.  It appears the browsers all strip the null bytes
> and implicitly create a well-formed origin.

Hey Brad!

First of all, I feel very bad for not fixing the remaining issues in the
testsuite.  We had a RfR on it, and I did get some very good feedback on
the testsuite.  Recently I have been involved in the moving of tests to
GitHub, and so I've done some testsuite and W3C work due to that.  I
will also do the last necessary fixes to the CORS tests when I move them
over (after our CfC on he GitHub-move here on this list is finished).

The particular issue you mention 

> Odin, you're the author of the spec - are these valid cases or should
> they be removed since there appears to be uniformity in
> ignoring/stripping null bytes? 

That, I'm definately not.  The author of that spec is the much smarter,
but employed by the same company as me back in the days; Anne.

Writing null byte "\0" random places was always a good test for Opera
presto, because we have really weird handling of that.

>From the Fetch spec (http://fetch.spec.whatwg.org/#http-origin):

  origin-or-null                   = origin / %x6E.75.6C.6C ; "null",
  case-sensitive
  origin                           = scheme "://" host [ ":" port ]

  Note: The syntax for the Origin header here is an intentional subset
  of what
  is defined in The Web Origin Concept. Unfortunately that document
  cannot be
  updated to match reality without involving layers and layers of
  bureaucracy. [ORIGIN]

It furthers defers to this for host/port:

  http://url.spec.whatwg.org/#url-code-points

I read it as it'll give a parse error.  But it is not explicitly enough
mentioned to make me understand it.  I did not write those tests to that
language that exists there though, but the newer specs should hopefully
be more web compatible than that of old.

Anyway, I'll defer to Anne.  If we find another way to handle this, I
will change the test, but not remove them because we'd want to have
tests for whatever we find out.  Do all browsers really strip it?  I
thought some would count it as the end-of-line?  At least that's what
I'd thought Presto would've done if there's no extra code handling that
there.  Won't check right now, because, well, I should've gone to bed
ages ago.

-- 
  Odin Hørthe Omdal, Opera Software
  odinho@opera.com

Received on Saturday, 13 April 2013 23:18:15 UTC