WebKit Bugzilla
Attachment 356153 Details for
Bug 165508
: Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-165508-20181130091652.patch (text/plain), 20.62 KB, created by
Rob Buis
on 2018-11-30 00:16:53 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Rob Buis
Created:
2018-11-30 00:16:53 PST
Size:
20.62 KB
patch
obsolete
>Subversion Revision: 238666 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 0f2b337981efbb85889ff67fc1bdb56516af2658..7c57b57af7e5576f0263c77b312d0fa823f1b6ce 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,32 @@ >+2018-11-30 Rob Buis <rbuis@igalia.com> >+ >+ Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers >+ https://bugs.webkit.org/show_bug.cgi?id=165508 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ According to the spec [1] step 6.5, a wildcard for method >+ and request's credentials mode should be taken into account, so >+ add this to the check. Same for ccess-Control-Allow-Headers (step 6.7). >+ >+ [1] https://fetch.spec.whatwg.org/#cors-preflight-fetch >+ >+ Tests: web-platform-tests/fetch/api/cors/cors-preflight-star.any.html >+ web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html >+ >+ * loader/CrossOriginAccessControl.cpp: >+ (WebCore::validatePreflightResponse): >+ * loader/CrossOriginPreflightResultCache.cpp: >+ (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod const): >+ (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders const): >+ (WebCore::CrossOriginPreflightResultCacheItem::allowsRequest const): >+ * loader/CrossOriginPreflightResultCache.h: >+ * platform/network/ResourceResponseBase.cpp: >+ (WebCore::ResourceResponseBase::filter): >+ (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting): >+ (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields): >+ * platform/network/ResourceResponseBase.h: >+ > 2018-11-29 Rob Buis <rbuis@igalia.com> > > Remove some superfluous code in ContentSecurityPolicy::upgradeInsecureRequestIfNeeded >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 8b6cc709f37589783ac64814b6e2b6e020d6b0c9..54471a0d0e89f41da2daaa324f5cad3161a5a295 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,13 @@ >+2018-11-30 Rob Buis <rbuis@igalia.com> >+ >+ Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers >+ https://bugs.webkit.org/show_bug.cgi?id=165508 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * NetworkProcess/NetworkResourceLoader.cpp: >+ (WebKit::NetworkResourceLoader::sanitizeResponseIfPossible): >+ > 2018-11-29 Tomas Popela <tpopela@redhat.com> > > [GTK][WPE] Fix BubblewrapLauncher clang warnings >diff --git a/Source/WebCore/loader/CrossOriginAccessControl.cpp b/Source/WebCore/loader/CrossOriginAccessControl.cpp >index 0d26a1faac183574043faa7b4a9ec6d11180b817..976fe5a24cba817ce49643def05e9b772c0cda0c 100644 >--- a/Source/WebCore/loader/CrossOriginAccessControl.cpp >+++ b/Source/WebCore/loader/CrossOriginAccessControl.cpp >@@ -207,8 +207,8 @@ bool validatePreflightResponse(const ResourceRequest& request, const ResourceRes > > auto result = std::make_unique<CrossOriginPreflightResultCacheItem>(storedCredentialsPolicy); > if (!result->parse(response, errorDescription) >- || !result->allowsCrossOriginMethod(request.httpMethod(), errorDescription) >- || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), errorDescription)) { >+ || !result->allowsCrossOriginMethod(request.httpMethod(), storedCredentialsPolicy, errorDescription) >+ || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), storedCredentialsPolicy, errorDescription)) { > return false; > } > >diff --git a/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp b/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp >index 632b68daa8085982d212a472ce74ed5cff578f4c..acb309712639a05d4b1a86bac262209942c370bf 100644 >--- a/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp >+++ b/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp >@@ -81,21 +81,22 @@ bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response > return true; > } > >-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, String& errorDescription) const >+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const > { >- if (m_methods.contains(method) || isOnAccessControlSimpleRequestMethodWhitelist(method)) >+ if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) || isOnAccessControlSimpleRequestMethodWhitelist(method)) > return true; > > errorDescription = "Method " + method + " is not allowed by Access-Control-Allow-Methods."; > return false; > } > >-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, String& errorDescription) const >+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const > { >+ bool validWildcard = m_headers.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse; > for (const auto& header : requestHeaders) { > if (header.keyAsHTTPHeaderName && isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value)) > continue; >- if (!m_headers.contains(header.key)) { >+ if (!m_headers.contains(header.key) && !validWildcard) { > errorDescription = "Request header field " + header.key + " is not allowed by Access-Control-Allow-Headers."; > return false; > } >@@ -110,9 +111,9 @@ bool CrossOriginPreflightResultCacheItem::allowsRequest(StoredCredentialsPolicy > return false; > if (storedCredentialsPolicy == StoredCredentialsPolicy::Use && m_storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) > return false; >- if (!allowsCrossOriginMethod(method, ignoredExplanation)) >+ if (!allowsCrossOriginMethod(method, storedCredentialsPolicy, ignoredExplanation)) > return false; >- if (!allowsCrossOriginHeaders(requestHeaders, ignoredExplanation)) >+ if (!allowsCrossOriginHeaders(requestHeaders, storedCredentialsPolicy, ignoredExplanation)) > return false; > return true; > } >diff --git a/Source/WebCore/loader/CrossOriginPreflightResultCache.h b/Source/WebCore/loader/CrossOriginPreflightResultCache.h >index dc07130a1b14653bd1df5beee98809e3b72efbe3..a9fea61dd0aef093f852704ef8631d3c5cc4f8c0 100644 >--- a/Source/WebCore/loader/CrossOriginPreflightResultCache.h >+++ b/Source/WebCore/loader/CrossOriginPreflightResultCache.h >@@ -46,8 +46,8 @@ public: > } > > WEBCORE_EXPORT bool parse(const ResourceResponse&, String& errorDescription); >- WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, String& errorDescription) const; >- WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, String& errorDescription) const; >+ WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const; >+ WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const; > bool allowsRequest(StoredCredentialsPolicy, const String& method, const HTTPHeaderMap& requestHeaders) const; > > private: >diff --git a/Source/WebCore/platform/network/ResourceResponseBase.cpp b/Source/WebCore/platform/network/ResourceResponseBase.cpp >index 76672191698f1a6b3b0ae9fa1d50547e12334ce9..43af3904332d27934b27151db9a361df44f8d4b3 100644 >--- a/Source/WebCore/platform/network/ResourceResponseBase.cpp >+++ b/Source/WebCore/platform/network/ResourceResponseBase.cpp >@@ -153,12 +153,16 @@ ResourceResponse ResourceResponseBase::filter(const ResourceResponse& response) > > HTTPHeaderSet accessControlExposeHeaderSet; > parseAccessControlExposeHeadersAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders), accessControlExposeHeaderSet); >- filteredResponse.m_httpHeaderFields.uncommonHeaders().removeAllMatching([&](auto& entry) { >- return !isCrossOriginSafeHeader(entry.key, accessControlExposeHeaderSet); >- }); >- filteredResponse.m_httpHeaderFields.commonHeaders().removeAllMatching([&](auto& entry) { >+ if (accessControlExposeHeaderSet.contains("*")) >+ filteredResponse.m_httpHeaderFields = response.m_httpHeaderFields; >+ else { >+ filteredResponse.m_httpHeaderFields.uncommonHeaders().removeAllMatching([&](auto& entry) { >+ return !isCrossOriginSafeHeader(entry.key, accessControlExposeHeaderSet); >+ }); >+ filteredResponse.m_httpHeaderFields.commonHeaders().removeAllMatching([&](auto& entry) { > return !isCrossOriginSafeHeader(entry.key, accessControlExposeHeaderSet); >- }); >+ }); >+ } > > return filteredResponse; > } >@@ -408,24 +412,27 @@ static bool isSafeCrossOriginResponseHeader(HTTPHeaderName name) > || name == HTTPHeaderName::XXSSProtection; > } > >-void ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting() >+void ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting(bool sendsCredentials) > { > switch (m_tainting) { > case ResourceResponse::Tainting::Basic: > return; > case ResourceResponse::Tainting::Cors: { > HTTPHeaderMap filteredHeaders; >+ auto corsSafeHeaderSet = parseAccessControlAllowList(httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders)); >+ if (corsSafeHeaderSet->contains("*") && !sendsCredentials) { >+ fprintf(stderr, "wildcard !!!\n"); >+ return; >+ } > for (auto& header : m_httpHeaderFields.commonHeaders()) { > if (isSafeCrossOriginResponseHeader(header.key)) > filteredHeaders.add(header.key, WTFMove(header.value)); > } >- if (auto corsSafeHeaderSet = parseAccessControlAllowList(httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders))) { >- for (auto& headerName : *corsSafeHeaderSet) { >- if (!filteredHeaders.contains(headerName)) { >- auto value = m_httpHeaderFields.get(headerName); >- if (!value.isNull()) >- filteredHeaders.add(headerName, value); >- } >+ for (auto& headerName : *corsSafeHeaderSet) { >+ if (!filteredHeaders.contains(headerName)) { >+ auto value = m_httpHeaderFields.get(headerName); >+ if (!value.isNull()) >+ filteredHeaders.add(headerName, value); > } > } > m_httpHeaderFields = WTFMove(filteredHeaders); >@@ -448,7 +455,7 @@ void ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting() > } > } > >-void ResourceResponseBase::sanitizeHTTPHeaderFields(SanitizationType type) >+void ResourceResponseBase::sanitizeHTTPHeaderFields(SanitizationType type, bool sendsCredentials) > { > lazyInit(AllFields); > >@@ -468,7 +475,7 @@ void ResourceResponseBase::sanitizeHTTPHeaderFields(SanitizationType type) > return; > } > case SanitizationType::CrossOriginSafe: >- sanitizeHTTPHeaderFieldsAccordingToTainting(); >+ sanitizeHTTPHeaderFieldsAccordingToTainting(sendsCredentials); > } > } > >diff --git a/Source/WebCore/platform/network/ResourceResponseBase.h b/Source/WebCore/platform/network/ResourceResponseBase.h >index 6fca6b751f57f081f43a1343b2e5150ce2fd621a..375ec151a2e3bd1cc15599eae908ffafb467abf3 100644 >--- a/Source/WebCore/platform/network/ResourceResponseBase.h >+++ b/Source/WebCore/platform/network/ResourceResponseBase.h >@@ -104,7 +104,7 @@ public: > void setHTTPHeaderFields(HTTPHeaderMap&&); > > enum class SanitizationType { Redirection, RemoveCookies, CrossOriginSafe }; >- WEBCORE_EXPORT void sanitizeHTTPHeaderFields(SanitizationType); >+ WEBCORE_EXPORT void sanitizeHTTPHeaderFields(SanitizationType, bool sendsCredentials); > > String httpHeaderField(const String& name) const; > WEBCORE_EXPORT String httpHeaderField(HTTPHeaderName) const; >@@ -200,7 +200,7 @@ protected: > private: > void parseCacheControlDirectives() const; > void updateHeaderParsedState(HTTPHeaderName); >- void sanitizeHTTPHeaderFieldsAccordingToTainting(); >+ void sanitizeHTTPHeaderFieldsAccordingToTainting(bool sendsCredentials); > > protected: > URL m_url; >diff --git a/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp b/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp >index bb1fb6ba2914a638b84825f6f57aeecd51e96f0c..9067f4e50be1187c1a80da0807abef5a0d7b3de9 100644 >--- a/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp >+++ b/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp >@@ -687,7 +687,7 @@ void NetworkResourceLoader::didFinishWithRedirectResponse(ResourceResponse&& red > ResourceResponse NetworkResourceLoader::sanitizeResponseIfPossible(ResourceResponse&& response, ResourceResponse::SanitizationType type) > { > if (m_parameters.shouldRestrictHTTPResponseAccess) >- response.sanitizeHTTPHeaderFields(type); >+ response.sanitizeHTTPHeaderFields(type, m_parameters.options.credentials == FetchOptions::Credentials::Include); > > return WTFMove(response); > } >diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog >index 7f749a246da770f1205cca1da468586500c4a800..71d52cabc40162a4ef8224f42e83566a5ec2a85e 100644 >--- a/LayoutTests/imported/w3c/ChangeLog >+++ b/LayoutTests/imported/w3c/ChangeLog >@@ -1,3 +1,17 @@ >+2018-11-30 Rob Buis <rbuis@igalia.com> >+ >+ Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers >+ https://bugs.webkit.org/show_bug.cgi?id=165508 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Update improved test results. >+ >+ * web-platform-tests/fetch/api/cors/cors-expose-star.sub.any-expected.txt: >+ * web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker-expected.txt: >+ * web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt: >+ * web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt: >+ > 2018-11-29 Rob Buis <rbuis@igalia.com> > > Import fetch/api/cors tests >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any-expected.txt >index d750832f72ffc1189c2f3988e10aec330262800a..eb5853cd3159984377110cd7f54b527a465df8a6 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any-expected.txt >@@ -1,5 +1,5 @@ > >-FAIL Basic Access-Control-Expose-Headers: * support assert_equals: expected (string) "X" but got (object) null >+PASS Basic Access-Control-Expose-Headers: * support > PASS * for credentialed fetches only matches literally >-FAIL * can be one of several values assert_equals: expected (string) "X" but got (object) null >+PASS * can be one of several values > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker-expected.txt >index d750832f72ffc1189c2f3988e10aec330262800a..eb5853cd3159984377110cd7f54b527a465df8a6 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker-expected.txt >@@ -1,5 +1,5 @@ > >-FAIL Basic Access-Control-Expose-Headers: * support assert_equals: expected (string) "X" but got (object) null >+PASS Basic Access-Control-Expose-Headers: * support > PASS * for credentialed fetches only matches literally >-FAIL * can be one of several values assert_equals: expected (string) "X" but got (object) null >+PASS * can be one of several values > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt >index 5fd22b933dfe59afcbae26e6cc162cade1364314..43ddf79028e68b33573da7c7091cacc257d6b46b 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt >@@ -1,7 +1,3 @@ >-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods. >-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=x-test& due to access control checks. >-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. >-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=*& due to access control checks. > CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=*&allow_headers=*& due to access control checks. > CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. >@@ -14,8 +10,8 @@ CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=put&allow_headers=*& due to access control checks. > > PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) >-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods." >-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods." >+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) >+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: PUT (allowed: *); header: (allowed: ) > PASS CORS that succeeds with credentials: true; method: PUT (allowed: PUT); header: (allowed: *) >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt >index 3afb4fb0d77e74db949680834389874fb2b51acd..ec24c35ca1c5ea85948e543bb64a2275fba20e45 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt >@@ -1,5 +1,3 @@ >-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods. >-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Request header field X-Test is not allowed by Access-Control-Allow-Headers. >@@ -7,8 +5,8 @@ CONSOLE MESSAGE: Request header field X-Test is not allowed by Access-Control-Al > CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. > > PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) >-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods." >-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods." >+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) >+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: PUT (allowed: *); header: (allowed: ) > PASS CORS that succeeds with credentials: true; method: PUT (allowed: PUT); header: (allowed: *)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=356153">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 165508
:
355603
|
355604
|
355605
|
355610
|
355611
|
355638
|
356153
|
356162
|
356163
|
356165
|
356179
|
356187
|
356193
|
356209
|
356815
|
357565
|
371657
|
371667
|
371706