WebKit Bugzilla
Attachment 357565 Details for
Bug 165508
: Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-165508-20181218153005.patch (text/plain), 11.86 KB, created by
Rob Buis
on 2018-12-18 06:30:05 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Rob Buis
Created:
2018-12-18 06:30:05 PST
Size:
11.86 KB
patch
obsolete
>Subversion Revision: 239329 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index b5a5d7182d07afbb11c00f16271dea98c32a4d46..24bc206b832e42ae51172726534fbc2b2fb5a3f0 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,27 @@ >+2018-12-18 Rob Buis <rbuis@igalia.com> >+ >+ Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers >+ https://bugs.webkit.org/show_bug.cgi?id=165508 >+ >+ Reviewed by Frédéric Wang. >+ >+ According to the spec [1] step 6.5, a wildcard for method >+ and request's credentials mode should be taken into account, so >+ add this to the check. Same for Access-Control-Allow-Headers (step 6.7). >+ >+ [1] https://fetch.spec.whatwg.org/#cors-preflight-fetch >+ >+ Tests: web-platform-tests/fetch/api/cors/cors-preflight-star.any.html >+ web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html >+ >+ * loader/CrossOriginAccessControl.cpp: >+ (WebCore::validatePreflightResponse): >+ * loader/CrossOriginPreflightResultCache.cpp: >+ (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod const): >+ (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders const): >+ (WebCore::CrossOriginPreflightResultCacheItem::allowsRequest const): >+ * loader/CrossOriginPreflightResultCache.h: >+ > 2018-12-17 Fujii Hironori <Hironori.Fujii@sony.com> > > [Win][Clang] Fix compilation warnings WebCore/platform/graphics directory >diff --git a/Source/WebCore/loader/CrossOriginAccessControl.cpp b/Source/WebCore/loader/CrossOriginAccessControl.cpp >index effbb5731f54300a7908c04f52d5ae6d1d833620..f6165967f1b3663e2f3cafa15c956622104be3df 100644 >--- a/Source/WebCore/loader/CrossOriginAccessControl.cpp >+++ b/Source/WebCore/loader/CrossOriginAccessControl.cpp >@@ -207,8 +207,8 @@ bool validatePreflightResponse(const ResourceRequest& request, const ResourceRes > > auto result = std::make_unique<CrossOriginPreflightResultCacheItem>(storedCredentialsPolicy); > if (!result->parse(response) >- || !result->allowsCrossOriginMethod(request.httpMethod(), errorDescription) >- || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), errorDescription)) { >+ || !result->allowsCrossOriginMethod(request.httpMethod(), storedCredentialsPolicy, errorDescription) >+ || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), storedCredentialsPolicy, errorDescription)) { > return false; > } > >diff --git a/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp b/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp >index 9d45b3745732811cb01163214276089e055443d6..d10a71d293683077a6c0aedf1aa1804c200b2b16 100644 >--- a/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp >+++ b/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp >@@ -71,21 +71,22 @@ bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response > return true; > } > >-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, String& errorDescription) const >+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const > { >- if (m_methods.contains(method) || isOnAccessControlSimpleRequestMethodWhitelist(method)) >+ if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use) || isOnAccessControlSimpleRequestMethodWhitelist(method)) > return true; > > errorDescription = "Method " + method + " is not allowed by Access-Control-Allow-Methods."; > return false; > } > >-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, String& errorDescription) const >+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const > { >+ bool validWildcard = m_headers.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use; > for (const auto& header : requestHeaders) { > if (header.keyAsHTTPHeaderName && isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value)) > continue; >- if (!m_headers.contains(header.key)) { >+ if (!m_headers.contains(header.key) && !validWildcard) { > errorDescription = "Request header field " + header.key + " is not allowed by Access-Control-Allow-Headers."; > return false; > } >@@ -100,9 +101,9 @@ bool CrossOriginPreflightResultCacheItem::allowsRequest(StoredCredentialsPolicy > return false; > if (storedCredentialsPolicy == StoredCredentialsPolicy::Use && m_storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) > return false; >- if (!allowsCrossOriginMethod(method, ignoredExplanation)) >+ if (!allowsCrossOriginMethod(method, storedCredentialsPolicy, ignoredExplanation)) > return false; >- if (!allowsCrossOriginHeaders(requestHeaders, ignoredExplanation)) >+ if (!allowsCrossOriginHeaders(requestHeaders, storedCredentialsPolicy, ignoredExplanation)) > return false; > return true; > } >diff --git a/Source/WebCore/loader/CrossOriginPreflightResultCache.h b/Source/WebCore/loader/CrossOriginPreflightResultCache.h >index 3ff35b77f564b5a7c00cccc32170e393926f54da..4b91d47bb58e96f152c12b642c903e209c63f8ec 100644 >--- a/Source/WebCore/loader/CrossOriginPreflightResultCache.h >+++ b/Source/WebCore/loader/CrossOriginPreflightResultCache.h >@@ -46,8 +46,8 @@ public: > } > > WEBCORE_EXPORT bool parse(const ResourceResponse&); >- WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, String& errorDescription) const; >- WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, String& errorDescription) const; >+ WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const; >+ WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const; > bool allowsRequest(StoredCredentialsPolicy, const String& method, const HTTPHeaderMap& requestHeaders) const; > > private: >diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog >index 46260f5754da65c8b3f93aee763d506f31cdbfa2..572c146a687f2b256d9229b25f188110a0cd1d5d 100644 >--- a/LayoutTests/imported/w3c/ChangeLog >+++ b/LayoutTests/imported/w3c/ChangeLog >@@ -1,3 +1,13 @@ >+2018-12-18 Rob Buis <rbuis@igalia.com> >+ >+ Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers >+ https://bugs.webkit.org/show_bug.cgi?id=165508 >+ >+ Reviewed by Frédéric Wang. >+ >+ * web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt: >+ * web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt: >+ > 2018-12-14 Youenn Fablet <youenn@apple.com> > > getSenders/getReceivers() should not return closed transceiver senders/receivers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt >index 5fd22b933dfe59afcbae26e6cc162cade1364314..43ddf79028e68b33573da7c7091cacc257d6b46b 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt >@@ -1,7 +1,3 @@ >-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods. >-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=x-test& due to access control checks. >-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. >-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=*& due to access control checks. > CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=*&allow_headers=*& due to access control checks. > CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. >@@ -14,8 +10,8 @@ CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=put&allow_headers=*& due to access control checks. > > PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) >-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods." >-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods." >+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) >+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: PUT (allowed: *); header: (allowed: ) > PASS CORS that succeeds with credentials: true; method: PUT (allowed: PUT); header: (allowed: *) >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt >index 3afb4fb0d77e74db949680834389874fb2b51acd..ec24c35ca1c5ea85948e543bb64a2275fba20e45 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt >@@ -1,5 +1,3 @@ >-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods. >-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Request header field X-Test is not allowed by Access-Control-Allow-Headers. >@@ -7,8 +5,8 @@ CONSOLE MESSAGE: Request header field X-Test is not allowed by Access-Control-Al > CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. > > PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) >-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods." >-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods." >+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) >+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: PUT (allowed: *); header: (allowed: ) > PASS CORS that succeeds with credentials: true; method: PUT (allowed: PUT); header: (allowed: *)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357565">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 165508
:
355603
|
355604
|
355605
|
355610
|
355611
|
355638
|
356153
|
356162
|
356163
|
356165
|
356179
|
356187
|
356193
|
356209
|
356815
|
357565
|
371657
|
371667
|
371706