RE: [webappsec-testsuite] CORS tests and null bytes in origin

No worries.  I'm hacking at a Test The Web Forward event in Seattle today, and thought I'd try to work on some of the outstanding bugs in the CORS suite.

Also, I found out now that these tests appear to pass on the public server, but fail on the test VM.  Digging into it, I see it is because the public server completely strips the Access-Control-Allow-Origin header when it has a null byte (either the PHP or Apache version is different in this regard) but the VM, with a slightly different version of PHP and Apache, sends the header and strips the null byte.  

(see attached traces)

I think these are tests are therefore even more questionable since they seem to depend on server behavior in this regard.

> -----Original Message-----
> From: Odin Hørthe Omdal [mailto:odinho@opera.com]
> Sent: Saturday, April 13, 2013 4:18 PM
> To: public-webappsec-testsuite@w3.org
> Cc: annevk@annevk.nl
> Subject: Re: [webappsec-testsuite] CORS tests and null bytes in origin
> 
> On Sun, Apr 14, 2013, at 0:12, Hill, Brad wrote:
> > There are a number of tests checked in for CORS in
> > submitted/opera/origin.html that fail on all browsers.  These tests
> > insert a null byte ("\0") into the origin string and expect a failure
> > which does not happen.  It appears the browsers all strip the null
> > bytes and implicitly create a well-formed origin.
> 
> Hey Brad!
> 
> First of all, I feel very bad for not fixing the remaining issues in the testsuite.
> We had a RfR on it, and I did get some very good feedback on the testsuite.
> Recently I have been involved in the moving of tests to GitHub, and so I've
> done some testsuite and W3C work due to that.  I will also do the last
> necessary fixes to the CORS tests when I move them over (after our CfC on
> he GitHub-move here on this list is finished).
> 
> The particular issue you mention
> 
> > Odin, you're the author of the spec - are these valid cases or should
> > they be removed since there appears to be uniformity in
> > ignoring/stripping null bytes?
> 
> That, I'm definately not.  The author of that spec is the much smarter, but
> employed by the same company as me back in the days; Anne.
> 
> Writing null byte "\0" random places was always a good test for Opera
> presto, because we have really weird handling of that.
> 
> 
> 
> >From the Fetch spec (http://fetch.spec.whatwg.org/#http-origin):
> 
>   origin-or-null                   = origin / %x6E.75.6C.6C ; "null",
>   case-sensitive
>   origin                           = scheme "://" host [ ":" port ]
> 
>   Note: The syntax for the Origin header here is an intentional subset
>   of what
>   is defined in The Web Origin Concept. Unfortunately that document
>   cannot be
>   updated to match reality without involving layers and layers of
>   bureaucracy. [ORIGIN]
> 
> It furthers defers to this for host/port:
> 
>   http://url.spec.whatwg.org/#url-code-points

> 
> I read it as it'll give a parse error.  But it is not explicitly enough mentioned to
> make me understand it.  I did not write those tests to that language that
> exists there though, but the newer specs should hopefully be more web
> compatible than that of old.
> 
> 
> 
> Anyway, I'll defer to Anne.  If we find another way to handle this, I will
> change the test, but not remove them because we'd want to have tests for
> whatever we find out.  Do all browsers really strip it?  I thought some would
> count it as the end-of-line?  At least that's what I'd thought Presto would've
> done if there's no extra code handling that there.  Won't check right now,
> because, well, I should've gone to bed ages ago.
> 
> --
>   Odin Hørthe Omdal, Opera Software
>   odinho@opera.com