-
abarth@webkit.org authored
Reviewed by Alexey Proskuryakov. XHR allows arbitrary XSRF across domains https://bugs.webkit.org/show_bug.cgi?id=36843 Added a one-line change to prevent bypassing the XDC check on synchronous preflighted requests. Added layout tests to cover variations of this problem. * http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt: Added. * http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html: Added. * http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt: Added. * http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html: Added. * http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt: Added. * http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html: Added. * http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt: Added. * http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html: Added. * http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php: Added. 2010-04-02 Justin Schuh <jschuh@chromium.org> Reviewed by Alexey Proskuryakov. XHR allows arbitrary XSRF across domains https://bugs.webkit.org/show_bug.cgi?id=36843 Added a one-line change to prevent bypassing the XDC check on synchronous preflighted requests. Added layout tests to cover variations of this problem. Tests: http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html * loader/DocumentThreadableLoader.cpp: (WebCore::DocumentThreadableLoader::preflightFailure): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@57041 268f45cc-cd09-0410-ab3c-d52691b4dbfc
7a8fde5a