Reviewed by Darin.

        <rdar://problem/5749455> Unable to set the Referer header in Dashboard using XMLHttpRequest

        Cannot be tested in DRT.

        * xml/XMLHttpRequest.cpp: (WebCore::canSetRequestHeader): Assume that a request that can load
        local files can also set any headers.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@30422 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 005baab326040cadaf9e0d71bcbba667b535f19f..f4b4772bf4ff2315dfbb6313640a3a9222760c3c 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,14 @@
+2008-02-20  Alexey Proskuryakov  <ap@webkit.org>
+
+        Reviewed by Darin.
+
+        <rdar://problem/5749455> Unable to set the Referer header in Dashboard using XMLHttpRequest
+
+        Cannot be tested in DRT.
+
+        * xml/XMLHttpRequest.cpp: (WebCore::canSetRequestHeader): Assume that a request that can load
+        local files can also set any headers.
+
 2008-02-19  Darin Adler  <darin@apple.com>
 
         Reviewed by Sam.

diff --git a/WebCore/xml/XMLHttpRequest.cpp b/WebCore/xml/XMLHttpRequest.cpp
index cd2033aea4b6fc40298ca8846ccccd45e260d5e3..fb298846f3f3fc584fab9eb69048b5ce0f708a70 100644 (file)
--- a/WebCore/xml/XMLHttpRequest.cpp
+++ b/WebCore/xml/XMLHttpRequest.cpp
@@ -81,6 +81,10 @@ static void removeFromRequestsByDocument(Document* doc, XMLHttpRequest* req)
 
 static bool canSetRequestHeader(const String& name)
 {
+    // A privileged script (e.g. a Dashboard widget) can set any headers.
+    if (m_doc->isAllowedToLoadLocalResources())
+        return true;
+
     static HashSet<String, CaseFoldingHash> forbiddenHeaders;
     static String proxyString("proxy-");