[XHR] Only exempt Dashboard widgets from XHR header restrictions
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Oct 2017 18:54:30 +0000 (18:54 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Oct 2017 18:54:30 +0000 (18:54 +0000)
commite247452d827feb8b2d1eb5ebf7ff27df25e4c5d8
treeda98a444b1afe73b8352b3d70ab4a5ce391a4fa4
parent01f005e7bdc4dab1b504fd5fafa254d75c2d9624
[XHR] Only exempt Dashboard widgets from XHR header restrictions
https://bugs.webkit.org/show_bug.cgi?id=177824
<rdar://problem/34384301>

Reviewed by Alexey Proskuryakov.

Source/WebCore:

Currently we allow file URLs to set arbitrary XHR headers. In contrast, non-file URLs are
restricted from setting some XHR headers (e.g. COOKIE). Historically the relaxation for file
URL was for backwards compatibility to allow Dashboard widgets to work. Instead we should
apply the non-file URL policy to all URLs and only relax the policy for Dashboard widgets.

Tests: fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html
       fast/xmlhttprequest/set-dangerous-headers.html

* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::setRequestHeader):

LayoutTests:

Add tests to ensure that file URLs are forbidden from setting the same set of blacklisted
headers as non-file URLs except when running in Dashboard compatibility mode.

* TestExpectations: Mark test fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html
as WontFix on all platforms. We will selectively enable this test on Mac because it is the
only platform that supports Dashboard widgets.
* fast/xmlhttprequest/set-dangerous-headers-expected.txt: Added.
* fast/xmlhttprequest/set-dangerous-headers-in-dashboard-expected.txt: Added.
* fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html: Added.
* fast/xmlhttprequest/set-dangerous-headers.html: Added. Derived from LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers.html.
* platform/mac/TestExpectations: Enable test fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html
on Mac.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@222795 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/fast/xmlhttprequest/set-dangerous-headers-expected.txt [new file with mode: 0644]
LayoutTests/fast/xmlhttprequest/set-dangerous-headers-in-dashboard-expected.txt [new file with mode: 0644]
LayoutTests/fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html [new file with mode: 0644]
LayoutTests/fast/xmlhttprequest/set-dangerous-headers.html [new file with mode: 0644]
LayoutTests/platform/mac/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/xml/XMLHttpRequest.cpp