WebKit Bugzilla
Attachment 371706 Details for
Bug 165508
: Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-165508-20190609113008.patch (text/plain), 11.77 KB, created by
Rob Buis
on 2019-06-09 02:30:11 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Rob Buis
Created:
2019-06-09 02:30:11 PDT
Size:
11.77 KB
patch
obsolete
>Subversion Revision: 246237 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 0b9937c8bb59b35ff1fbb6aa2c9333f31d23f1d5..fb5b50dea19d1d58f201b1c632e9e03b1cc9432c 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,27 @@ >+2019-06-09 Rob Buis <rbuis@igalia.com> >+ >+ Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers >+ https://bugs.webkit.org/show_bug.cgi?id=165508 >+ >+ Reviewed by Frédéric Wang. >+ >+ According to the spec [1] step 6.5, a wildcard for method >+ and request's credentials mode should be taken into account, so >+ add this to the check. Same for Access-Control-Allow-Headers (step 6.7). >+ >+ [1] https://fetch.spec.whatwg.org/#cors-preflight-fetch >+ >+ Tests: web-platform-tests/fetch/api/cors/cors-preflight-star.any.html >+ web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html >+ >+ * loader/CrossOriginAccessControl.cpp: >+ (WebCore::validatePreflightResponse): >+ * loader/CrossOriginPreflightResultCache.cpp: >+ (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod const): >+ (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders const): >+ (WebCore::CrossOriginPreflightResultCacheItem::allowsRequest const): >+ * loader/CrossOriginPreflightResultCache.h: >+ > 2019-06-08 Zalan Bujtas <zalan@apple.com> > > [LFC][IFC] Introduce Baseline to LineBox >diff --git a/Source/WebCore/loader/CrossOriginAccessControl.cpp b/Source/WebCore/loader/CrossOriginAccessControl.cpp >index 2bb9737bd2ece0b94d741aefe1596975d8a7f568..1f67c1de5889e067994ad47148ca390685d77b08 100644 >--- a/Source/WebCore/loader/CrossOriginAccessControl.cpp >+++ b/Source/WebCore/loader/CrossOriginAccessControl.cpp >@@ -207,8 +207,8 @@ bool validatePreflightResponse(const ResourceRequest& request, const ResourceRes > > auto result = std::make_unique<CrossOriginPreflightResultCacheItem>(storedCredentialsPolicy); > if (!result->parse(response) >- || !result->allowsCrossOriginMethod(request.httpMethod(), errorDescription) >- || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), errorDescription)) { >+ || !result->allowsCrossOriginMethod(request.httpMethod(), storedCredentialsPolicy, errorDescription) >+ || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), storedCredentialsPolicy, errorDescription)) { > return false; > } > >diff --git a/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp b/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp >index 5d6e201b275427860c34a54244b158f39e9d6197..fb3dadaddaf1989c798c2b01dbe9c79d768fc3ea 100644 >--- a/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp >+++ b/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp >@@ -68,21 +68,22 @@ bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response > return true; > } > >-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, String& errorDescription) const >+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const > { >- if (m_methods.contains(method) || isOnAccessControlSimpleRequestMethodWhitelist(method)) >+ if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use) || isOnAccessControlSimpleRequestMethodWhitelist(method)) > return true; > > errorDescription = "Method " + method + " is not allowed by Access-Control-Allow-Methods."; > return false; > } > >-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, String& errorDescription) const >+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const > { >+ bool validWildcard = m_headers.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use; > for (const auto& header : requestHeaders) { > if (header.keyAsHTTPHeaderName && isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value)) > continue; >- if (!m_headers.contains(header.key)) { >+ if (!m_headers.contains(header.key) && !validWildcard) { > errorDescription = "Request header field " + header.key + " is not allowed by Access-Control-Allow-Headers."; > return false; > } >@@ -97,9 +98,9 @@ bool CrossOriginPreflightResultCacheItem::allowsRequest(StoredCredentialsPolicy > return false; > if (storedCredentialsPolicy == StoredCredentialsPolicy::Use && m_storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) > return false; >- if (!allowsCrossOriginMethod(method, ignoredExplanation)) >+ if (!allowsCrossOriginMethod(method, storedCredentialsPolicy, ignoredExplanation)) > return false; >- if (!allowsCrossOriginHeaders(requestHeaders, ignoredExplanation)) >+ if (!allowsCrossOriginHeaders(requestHeaders, storedCredentialsPolicy, ignoredExplanation)) > return false; > return true; > } >diff --git a/Source/WebCore/loader/CrossOriginPreflightResultCache.h b/Source/WebCore/loader/CrossOriginPreflightResultCache.h >index fada11fbbed71588f2703f14fa96be4d5deba7d6..066793dae6ce18883db087945467c2ecf90ef899 100644 >--- a/Source/WebCore/loader/CrossOriginPreflightResultCache.h >+++ b/Source/WebCore/loader/CrossOriginPreflightResultCache.h >@@ -46,8 +46,8 @@ public: > } > > WEBCORE_EXPORT bool parse(const ResourceResponse&); >- WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, String& errorDescription) const; >- WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, String& errorDescription) const; >+ WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const; >+ WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const; > bool allowsRequest(StoredCredentialsPolicy, const String& method, const HTTPHeaderMap& requestHeaders) const; > > private: >diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog >index f1cb90389a88384bd0e5f0341f028cc71e33ecd5..5f08890a1221756d25153abe73869e1e12f31433 100644 >--- a/LayoutTests/imported/w3c/ChangeLog >+++ b/LayoutTests/imported/w3c/ChangeLog >@@ -1,3 +1,13 @@ >+2019-06-09 Rob Buis <rbuis@igalia.com> >+ >+ Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers >+ https://bugs.webkit.org/show_bug.cgi?id=165508 >+ >+ Reviewed by Frédéric Wang. >+ >+ * web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt: >+ * web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt: >+ > 2019-06-07 Joonghun Park <jh718.park@samsung.com> > > Implement tab-size with units >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt >index 5fd22b933dfe59afcbae26e6cc162cade1364314..43ddf79028e68b33573da7c7091cacc257d6b46b 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt >@@ -1,7 +1,3 @@ >-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods. >-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=x-test& due to access control checks. >-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. >-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=*& due to access control checks. > CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=*&allow_headers=*& due to access control checks. > CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. >@@ -14,8 +10,8 @@ CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=put&allow_headers=*& due to access control checks. > > PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) >-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods." >-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods." >+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) >+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: PUT (allowed: *); header: (allowed: ) > PASS CORS that succeeds with credentials: true; method: PUT (allowed: PUT); header: (allowed: *) >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt >index 3afb4fb0d77e74db949680834389874fb2b51acd..ec24c35ca1c5ea85948e543bb64a2275fba20e45 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt >@@ -1,5 +1,3 @@ >-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods. >-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. > CONSOLE MESSAGE: Request header field X-Test is not allowed by Access-Control-Allow-Headers. >@@ -7,8 +5,8 @@ CONSOLE MESSAGE: Request header field X-Test is not allowed by Access-Control-Al > CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. > > PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) >-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods." >-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods." >+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) >+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) > PASS CORS that fails with credentials: true; method: PUT (allowed: *); header: (allowed: ) > PASS CORS that succeeds with credentials: true; method: PUT (allowed: PUT); header: (allowed: *)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=371706">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 165508
:
355603
|
355604
|
355605
|
355610
|
355611
|
355638
|
356153
|
356162
|
356163
|
356165
|
356179
|
356187
|
356193
|
356209
|
356815
|
357565
|
371657
|
371667
| 371706