WebKit Bugzilla
Attachment 346788 Details for
Bug 185473
: Fetch: content-length header is being added to the safe-list
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185473-20180808223104.patch (text/plain), 6.54 KB, created by
Rob Buis
on 2018-08-08 13:31:05 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Rob Buis
Created:
2018-08-08 13:31:05 PDT
Size:
6.54 KB
patch
obsolete
>Subversion Revision: 234690 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 3f02ca7d62fd9aca790d7e1483080b908d71eb31..155e478320e369d9a25d15b9f13b0509abcca65b 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-08-08 Rob Buis <rbuis@igalia.com> >+ >+ Fetch: content-length header is being added to the safe-list >+ https://bugs.webkit.org/show_bug.cgi?id=185473 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Content-Length is a CORS-safelisted reponse header: >+ https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name >+ >+ Tests: web-platform-tests/fetch/api/cors/cors-filtering.html >+ web-platform-tests/fetch/api/cors/cors-filtering-worker.html >+ >+ * platform/network/HTTPParsers.cpp: >+ (WebCore::isCrossOriginSafeHeader): >+ > 2018-08-08 Charlie Turner <cturner@igalia.com> > > Add CENC sanitization >diff --git a/Source/WebCore/platform/network/HTTPParsers.cpp b/Source/WebCore/platform/network/HTTPParsers.cpp >index 97843984893f32a2e23ff943880fb679ef27f2a8..f79ea8880e41f5ffea2cc514467433797eefec02 100644 >--- a/Source/WebCore/platform/network/HTTPParsers.cpp >+++ b/Source/WebCore/platform/network/HTTPParsers.cpp >@@ -836,6 +836,7 @@ bool isCrossOriginSafeHeader(HTTPHeaderName name, const HTTPHeaderSet& accessCon > switch (name) { > case HTTPHeaderName::CacheControl: > case HTTPHeaderName::ContentLanguage: >+ case HTTPHeaderName::ContentLength: > case HTTPHeaderName::ContentType: > case HTTPHeaderName::Expires: > case HTTPHeaderName::LastModified: >diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog >index 094a3226b48ecc4c0295d5fa8296391d3737eb40..f6b9d3e0947402e5e3d813b8b045d2415cf5b302 100644 >--- a/LayoutTests/imported/w3c/ChangeLog >+++ b/LayoutTests/imported/w3c/ChangeLog >@@ -1,3 +1,17 @@ >+2018-08-08 Rob Buis <rbuis@igalia.com> >+ >+ Fetch: content-length header is being added to the safe-list >+ https://bugs.webkit.org/show_bug.cgi?id=185473 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Sync with wpt change: >+ https://github.com/web-platform-tests/wpt/commit/407ecdff87af8aeceaa07cbc71aac9ec355d4334 >+ >+ * web-platform-tests/fetch/api/cors/cors-filtering-expected.txt: >+ * web-platform-tests/fetch/api/cors/cors-filtering-worker-expected.txt: >+ * web-platform-tests/fetch/api/cors/cors-filtering.js: >+ > 2018-08-08 Charlie Turner <cturner@igalia.com> > > Add CENC sanitization >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-expected.txt >index 23dea83e0fef444aacaea3ffd8d34c69d5eacfeb..ecdbf283e3e8310a4fbb4b217f75f2026e17a3ed 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-expected.txt >@@ -5,16 +5,15 @@ PASS CORS filter on Content-Type header > PASS CORS filter on Expires header > PASS CORS filter on Last-Modified header > PASS CORS filter on Pragma header >+PASS CORS filter on Content-Length header > PASS CORS filter on Age header > PASS CORS filter on Server header > PASS CORS filter on Warning header >-PASS CORS filter on Content-Length header > PASS CORS filter on Set-Cookie header > PASS CORS filter on Set-Cookie2 header > PASS CORS filter on Age header, header is exposed > PASS CORS filter on Server header, header is exposed > PASS CORS filter on Warning header, header is exposed >-PASS CORS filter on Content-Length header, header is exposed > PASS CORS filter on Set-Cookie header, header is forbidden > PASS CORS filter on Set-Cookie2 header, header is forbidden > PASS CORS filter on Set-Cookie header, header is forbidden(credentials = include) >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-worker-expected.txt >index 23dea83e0fef444aacaea3ffd8d34c69d5eacfeb..ecdbf283e3e8310a4fbb4b217f75f2026e17a3ed 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-worker-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-worker-expected.txt >@@ -5,16 +5,15 @@ PASS CORS filter on Content-Type header > PASS CORS filter on Expires header > PASS CORS filter on Last-Modified header > PASS CORS filter on Pragma header >+PASS CORS filter on Content-Length header > PASS CORS filter on Age header > PASS CORS filter on Server header > PASS CORS filter on Warning header >-PASS CORS filter on Content-Length header > PASS CORS filter on Set-Cookie header > PASS CORS filter on Set-Cookie2 header > PASS CORS filter on Age header, header is exposed > PASS CORS filter on Server header, header is exposed > PASS CORS filter on Warning header, header is exposed >-PASS CORS filter on Content-Length header, header is exposed > PASS CORS filter on Set-Cookie header, header is forbidden > PASS CORS filter on Set-Cookie2 header, header is forbidden > PASS CORS filter on Set-Cookie header, header is forbidden(credentials = include) >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering.js b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering.js >index 1feaa5924f6a2f92308adbdadaa3038babe728cf..e755a167b04905426947c2c047738968e6740ec2 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering.js >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering.js >@@ -52,18 +52,17 @@ corsFilter(url, "Content-Type", "text/html", false); > corsFilter(url, "Expires","04 May 1988 22:22:22 GMT" , false); > corsFilter(url, "Last-Modified", "04 May 1988 22:22:22 GMT", false); > corsFilter(url, "Pragma", "no-cache", false); >+corsFilter(url, "Content-Length", "3" , false); // top.txt contains "top" > > corsFilter(url, "Age", "27", true); > corsFilter(url, "Server", "wptServe" , true); > corsFilter(url, "Warning", "Mind the gap" , true); >-corsFilter(url, "Content-Length", "3" , true); // top.txt contains "top" > corsFilter(url, "Set-Cookie", "name=value" , true); > corsFilter(url, "Set-Cookie2", "name=value" , true); > > corsExposeFilter(url, "Age", "27", false); > corsExposeFilter(url, "Server", "wptServe" , false); > corsExposeFilter(url, "Warning", "Mind the gap" , false); >-corsExposeFilter(url, "Content-Length", "3" , false); > > corsExposeFilter(url, "Set-Cookie", "name=value" , true); > corsExposeFilter(url, "Set-Cookie2", "name=value" , true);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=346788">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185473
:
346783
|
346786
|
346787
| 346788