Bug 814117 - Forbid multiple Access-Control-Allow-Origin headers in HTTP responses. r=bz
authorJason Duell <jduell.mcbugs@gmail.com>
Wed, 28 Nov 2012 10:57:34 -0800
changeset 114388 e63a025943ebaf16524f4b771f714a27b111afc8
parent 114387 455414f3e52ca552c4c477c44bca117daa800897
child 114389 11fcd37bfb7d54c103b4b002d100437c8396561f
push id23917
push useremorley@mozilla.com
push dateThu, 29 Nov 2012 14:20:29 +0000
treeherdermozilla-central@c72d38e7a212 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs814117
milestone20.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 814117 - Forbid multiple Access-Control-Allow-Origin headers in HTTP responses. r=bz
netwerk/protocol/http/nsHttpAtomList.h
netwerk/protocol/http/nsHttpHeaderArray.h
netwerk/test/unit/test_duplicate_headers.js
--- a/netwerk/protocol/http/nsHttpAtomList.h
+++ b/netwerk/protocol/http/nsHttpAtomList.h
@@ -16,16 +16,17 @@
   The first argument to HTTP_ATOM is the C++ name of the atom.
   The second argument to HTTP_ATOM is the string value of the atom.
  ******/
 
 HTTP_ATOM(Accept,                    "Accept")
 HTTP_ATOM(Accept_Encoding,           "Accept-Encoding")
 HTTP_ATOM(Accept_Language,           "Accept-Language")
 HTTP_ATOM(Accept_Ranges,             "Accept-Ranges")
+HTTP_ATOM(Access_Control_Allow_Origin, "Access-Control-Allow-Origin")
 HTTP_ATOM(Age,                       "Age")
 HTTP_ATOM(Allow,                     "Allow")
 HTTP_ATOM(Alternate_Protocol,        "Alternate-Protocol")
 HTTP_ATOM(Assoc_Req,                 "Assoc-Req")
 HTTP_ATOM(Authentication,            "Authentication")
 HTTP_ATOM(Authorization,             "Authorization")
 HTTP_ATOM(Cache_Control,             "Cache-Control")
 HTTP_ATOM(Connection,                "Connection")
--- a/netwerk/protocol/http/nsHttpHeaderArray.h
+++ b/netwerk/protocol/http/nsHttpHeaderArray.h
@@ -157,16 +157,17 @@ nsHttpHeaderArray::IsSingletonHeader(nsH
            header == nsHttp::Referer             ||
            header == nsHttp::Host                ||
            header == nsHttp::Authorization       ||
            header == nsHttp::Proxy_Authorization ||
            header == nsHttp::If_Modified_Since   ||
            header == nsHttp::If_Unmodified_Since ||
            header == nsHttp::From                ||
            header == nsHttp::Location            ||
+           header == nsHttp::Access_Control_Allow_Origin ||
            header == nsHttp::Max_Forwards;
 }
 
 inline bool
 nsHttpHeaderArray::TrackEmptyHeader(nsHttpAtom header)
 {
     return header == nsHttp::Content_Length ||
            header == nsHttp::Location;
@@ -196,17 +197,18 @@ nsHttpHeaderArray::MergeHeader(nsHttpAto
     entry->value.Append(value);
 }
 
 inline bool
 nsHttpHeaderArray::IsSuspectDuplicateHeader(nsHttpAtom header)
 {
     bool retval =  header == nsHttp::Content_Length         ||
                      header == nsHttp::Content_Disposition    ||
+                     header == nsHttp::Access_Control_Allow_Origin ||
                      header == nsHttp::Location;
 
-    NS_ASSERTION(!retval || IsSingletonHeader(header),
-                 "Only non-mergeable headers should be in this list\n");
+    MOZ_ASSERT(!retval || IsSingletonHeader(header),
+               "Only non-mergeable headers should be in this list\n");
 
     return retval;
 }
 
 #endif
--- a/netwerk/test/unit/test_duplicate_headers.js
+++ b/netwerk/test/unit/test_duplicate_headers.js
@@ -594,11 +594,37 @@ function handler20(metadata, response)
   response.write(body);
   response.finish();
 }
 
 function completeTest20(request, data, ctx)
 {
   do_check_eq(request.status, Components.results.NS_ERROR_CORRUPTED_CONTENT);
 
+  run_test_number(21);
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// FAIL if multiple Access-Control-Allow-Origin headers provided
+
+test_flags[21] = CL_EXPECT_FAILURE;
+
+function handler21(metadata, response)
+{
+  var body = "012345678901234567890123456789";
+  response.seizePower();
+  response.write("HTTP/1.0 200 OK\r\n");
+  response.write("Content-Type: text/plain\r\n");
+  response.write("Content-Length: 30\r\n");
+  response.write("Access-Control-Allow-Origin: www.mozilla.org\r\n");
+  response.write("Access-Control-Allow-Origin: www.evil.net\r\n");
+  response.write("\r\n");
+  response.write(body);
+  response.finish();
+}
+
+function completeTest21(request, data, ctx)
+{
+  do_check_eq(request.status, Components.results.NS_ERROR_CORRUPTED_CONTENT);
+
   endTests();
 }