OOR-CORS: Disallow to set Host header via the factory interface
Host header is expected to be set by the network stack and
the value should be aligned with the destination host, or |url|
in the ResourceRequest.
listed in |forbidden header name| of the fetch spec, but still
mojo IPC can be compromised potentially, and having this second
check in the network service would reduce security risk.
Auto-Submit: Takashi Toyoshima <email@example.com>
Reviewed-by: Yutaka Hirano <firstname.lastname@example.org>
Reviewed-by: Raymes Khoury <email@example.com>
Commit-Queue: Takashi Toyoshima <firstname.lastname@example.org>
1 file changed