PATCH: XMLHttpRequest
Dawit Alemayehu
adawit at kde.org
Thu Oct 13 01:35:52 BST 2005
Hello,
The attached patch addresses several issues with the current implementation of
XMLHttpRequest object:
1.) Add a referrer by default as requested in bug 113962. If one is supplied
through the "setRequestHeader" call, we sanitize it to make sure that it was
not an attempt to spoof the referrer header, which can be a security issue.
2.) Deny all but "get" and "post" support through "setRequestHeader" and make
sure the "get" and "post" requests are routed through the "open" function
call to ensure that they are sanitized properly.
3.) Instead of blindly doing a get action when the requested method is other
than http, simply abort the request. While we are at it, store the method
type in lowercase.
Comments, feedback...
--
Regards,
Dawit A.
"Practice what you preach, preach what you practice"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xmlhttprequest.diff
Type: text/x-diff
Size: 4019 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20051012/b6c3e5e3/attachment.diff>
More information about the kfm-devel
mailing list