ppapi/tests/test_url_loader.cc · 9f2a4f4ab986e31e6b2f5b3b171d158c564885c1 · eriksson monteiro / tangled

OOR-CORS: Disallow to set Host header via the factory interface · 9f2a4f4a

Takashi Toyoshima authored May 14, 2019

Host header is expected to be set by the network stack and
the value should be aligned with the destination host, or |url|
in the ResourceRequest.

Users' JavaScripts can not set this header because the name is
listed in |forbidden header name| of the fetch spec, but still
mojo IPC can be compromised potentially, and having this second
check in the network service would reduce security risk.

Bug: 925359
Change-Id: Idfe9209fec9c5ed72c384ff2592e02c96a2e77a1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1601086
Auto-Submit: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Raymes Khoury <raymes@chromium.org>
Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#659373}

9f2a4f4a

test_url_loader.cc 33.9 KB

Replace test_url_loader.cc