Security risk in xhr.status if response is spoofed
christopher-kiss opened this issue · comments
Note: for support questions, please use one of these channels: stackoverflow or slack
You want to:
- report a bug
- request a feature
Current behaviour
If status is not 200 or 1223, the status is passed straight into the error handler which is then propagated out to socket 'connect_error' handlers provided by developers.
Steps to reproduce (if the current behaviour is a bug)
Use XHR polling transport type
Intercept the http request and spoof the response for status to an invalid value.
Expected behaviour
Error handler should always return a valid status code which is of type number.
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/status
Setup
- OS: any
- browser: any
- engine.io version: 2.1.1