WebKit Bugzilla
Attachment 342451 Details for
Bug 186533
: Accept request header values should be more tightly checked after r232572 in case of CORS load
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186533-20180611113714.patch (text/plain), 23.94 KB, created by
youenn fablet
on 2018-06-11 11:37:17 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
youenn fablet
Created:
2018-06-11 11:37:17 PDT
Size:
23.94 KB
patch
obsolete
>Subversion Revision: 232536 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 825f62b64de3295a33813e90b799d0f19ef42c82..be78ae33bdd004a411a07a3ca7ad298c25e0e632 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,18 @@ >+2018-06-08 Youenn Fablet <youenn@apple.com> >+ >+ Accept request header values should be more tightly checked after r232572 in case of CORS load >+ https://bugs.webkit.org/show_bug.cgi?id=186533 >+ <rdar://problem/40933880> >+ >+ Reviewed by Darin Adler. >+ >+ Covered by updated test. >+ >+ * platform/network/HTTPParsers.cpp: >+ (WebCore::isValidAcceptHeaderValue): Checking that Accept header value conforms with RFC7370. >+ If not, this will trigger preflighting for CORS cross origin loads. >+ Current checks for Accept-Language and Content-Language are sufficient to ensure values conform with RFC7370. >+ > 2018-06-08 Youenn Fablet <youenn@apple.com> > > HTTP Header values validation is too strict >diff --git a/Source/WebCore/platform/network/HTTPParsers.cpp b/Source/WebCore/platform/network/HTTPParsers.cpp >index 2028da468aafadd9d3d02661d52ebc77595c872e..e8337d1629eba797801b0b3523baf30891b78301 100644 >--- a/Source/WebCore/platform/network/HTTPParsers.cpp >+++ b/Source/WebCore/platform/network/HTTPParsers.cpp >@@ -142,9 +142,15 @@ bool isValidAcceptHeaderValue(const String& value) > { > for (unsigned i = 0; i < value.length(); ++i) { > UChar c = value[i]; >+ > // First check for alphanumeric for performance reasons then whitelist four delimiter characters. > if (isASCIIAlphanumeric(c) || c == ',' || c == '/' || c == ';' || c == '=') > continue; >+ >+ ASSERT(c <= 0xFF); >+ if (c == 0x7F || (c < 0x20 && c != '\t')) >+ return false; >+ > if (isDelimiterCharacter(c)) > return false; > } >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index c14f6b3037532aeecf12a77769dbc617ed9793f5..0a73936cbeca6f64811f90b210f38150705c2070 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,18 @@ >+2018-06-08 Youenn Fablet <youenn@apple.com> >+ >+ Accept request header values should be more tightly checked after r232572 in case of CORS load >+ https://bugs.webkit.org/show_bug.cgi?id=186533 >+ <rdar://problem/40933880> >+ >+ Reviewed by Darin Adler. >+ >+ Added test to check Accept header value preflight. >+ Updated test to check that a preflight really happens if expected. >+ >+ * http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt: >+ * http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html: >+ * http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php: >+ > 2018-06-08 Youenn Fablet <youenn@apple.com> > > HTTP Header values validation is too strict >diff --git a/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt b/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt >index b812632b61a06c80fc4d0fc9ec9b4309c3482302..f08fa39c09d762d8736c9ca30dfe6c0ce0c615f9 100644 >--- a/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt >+++ b/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt >@@ -1,39 +1,63 @@ > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept-Language is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Content-Language is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Content-Language is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Accept-Language is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Content-Language is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Accept-Language is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Content-Language is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Accept-Language is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Content-Language is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Accept is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Accept-Language is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. >+CONSOLE MESSAGE: Request header field Content-Language is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php/?shouldPreflight due to access control checks. > PASS Accept header value 'application/json,text/*,*/*' SHOULD NOT cause a preflight > PASS Accept header with normal value 'application/vnd.api+json' SHOULD NOT cause a preflight > PASS Accept header with normal value 'text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c' SHOULD NOT cause a preflight >@@ -41,6 +65,7 @@ PASS Accept header with normal value 'text/*;q=0.3, text/html;q=0.7, text/html;l > PASS Accept header value with all allowed delimiter characters SHOULD NOT cause a preflight > PASS Accept-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight > PASS Accept-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight >+PASS Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight > PASS Accept-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight > PASS Content-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight > PASS Content-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight >@@ -67,4 +92,16 @@ PASS Accept header with disallowed delimiter '\' SHOULD cause a preflight > PASS Accept header with disallowed delimiter ']' SHOULD cause a preflight > PASS Accept header with disallowed delimiter '{' SHOULD cause a preflight > PASS Accept header with disallowed delimiter '}' SHOULD cause a preflight >+PASS Accept header with disallowed character '' SHOULD cause a preflight >+PASS Accept-Language header with disallowed character '' SHOULD cause a preflight >+PASS Content-Language header with disallowed character '' SHOULD cause a preflight >+PASS Accept header with disallowed character '' SHOULD cause a preflight >+PASS Accept-Language header with disallowed character '' SHOULD cause a preflight >+PASS Content-Language header with disallowed character '' SHOULD cause a preflight >+PASS Accept header with disallowed character '' SHOULD cause a preflight >+PASS Accept-Language header with disallowed character '' SHOULD cause a preflight >+PASS Content-Language header with disallowed character '' SHOULD cause a preflight >+PASS Accept header with disallowed character '' SHOULD cause a preflight >+PASS Accept-Language header with disallowed character '' SHOULD cause a preflight >+PASS Content-Language header with disallowed character '' SHOULD cause a preflight > >diff --git a/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html b/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html >index 3e7c68a0bb176930796073b7065c730fb28d28c7..cc47a3017d130acd317107ab4bab42ebca57d6fa 100644 >--- a/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html >+++ b/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html >@@ -16,19 +16,24 @@ > var xhr; > var url = 'http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php'; > >- function createReadyStateHandler (description, testNumber) { >+ function createOnLoadHandler (description, testNumber, isExpected) { > return function handler (e) { >- if (xhr.readyState === XMLHttpRequest.DONE) { >+ if (isExpected) > testPassed(description); >- nextStep(testNumber); >- } >+ else >+ testFailed(description); >+ e.preventDefault(); >+ nextStep(testNumber); > } > } > >- function createOnErrorHandler (description, testNumber) { >+ function createOnErrorHandler (description, testNumber, isExpected) { > return function handler (e) { >+ if (isExpected) >+ testPassed(description); >+ else >+ testFailed(description); > e.preventDefault(); >- testPassed(description); > nextStep(testNumber); > } > } >@@ -36,7 +41,9 @@ > var abnormalSimpleCorsHeaderValue = "() { :;};" > var allAllowedDelimiterCharactersForAcceptHeader = ",/;=" > var allDisallowedDelimiterCharactersForAcceptHeader = ['"', '(', ')', ':', '<', '>', '?', '@', '[', '\\', ']', '{', '}']; >- var allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader = " *,-.;=" >+ var allDisallowedCharactersForAcceptHeader = ['\x19', '\x0B', '\x08', '\x7F']; >+ var allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader = "\x20 *,-.;= "; >+ var allAllowedNonAlphanumericCharactersForAcceptHeader = "\x20 *,-.;= \x7E\x80"; > var testCases = [ > // Positive test cases with normal headers > { >@@ -81,6 +88,12 @@ > shouldCausePreflight: false, > description: "Accept-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight" > } >+ ,{ >+ headersToAdd: [{ name : "Accept", value: allAllowedNonAlphanumericCharactersForAcceptHeader }], >+ explicitlyAllowHeaders: false, >+ shouldCausePreflight: false, >+ description: "Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight" >+ } > ,{ > headersToAdd: [{ name : "Accept-Language", value: allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader }], > explicitlyAllowHeaders: false, >@@ -175,18 +188,49 @@ > } > ); > } >+ for (var i = 0; i < allDisallowedCharactersForAcceptHeader.length; i++) { >+ var disallowedCharacter = allDisallowedCharactersForAcceptHeader[i]; >+ testCases.push( >+ { >+ headersToAdd: [{ name : "Accept", value: disallowedCharacter }], >+ explicitlyAllowHeaders: false, >+ shouldCausePreflight: true, >+ description: "Accept header with disallowed character '" + disallowedCharacter + "' SHOULD cause a preflight" >+ } >+ ); >+ testCases.push( >+ { >+ headersToAdd: [{ name : "Accept-Language", value: disallowedCharacter }], >+ explicitlyAllowHeaders: false, >+ shouldCausePreflight: true, >+ description: "Accept-Language header with disallowed character '" + disallowedCharacter + "' SHOULD cause a preflight" >+ } >+ ); >+ testCases.push( >+ { >+ headersToAdd: [{ name : "Content-Language", value: disallowedCharacter }], >+ explicitlyAllowHeaders: false, >+ shouldCausePreflight: true, >+ description: "Content-Language header with disallowed character '" + disallowedCharacter + "' SHOULD cause a preflight" >+ } >+ ); >+ } > > function runTestCase(testNumber) { > var testCase = testCases[testNumber]; > xhr = new XMLHttpRequest(); >- xhr.open('GET', url + (testCase.explicitlyAllowHeaders ? "/?explicitlyAllowHeaders=true" : ""), true); >+ let query = "/?"; >+ if (testCase.explicitlyAllowHeaders) >+ query += "explicitlyAllowHeaders&"; >+ if (testCase.shouldCausePreflight) >+ query += "shouldPreflight"; >+ xhr.open('GET', url + query, true); > for (var i = 0; i < testCase.headersToAdd.length; i++) { > xhr.setRequestHeader(testCase.headersToAdd[i].name, testCase.headersToAdd[i].value); > } >- if (testCase.shouldCausePreflight && !testCase.explicitlyAllowHeaders) >- xhr.onerror = createOnErrorHandler(testCase.description, testNumber); >- else >- xhr.onreadystatechange = createReadyStateHandler(testCase.description, testNumber); >+ let shouldFail = testCase.shouldCausePreflight && !testCase.explicitlyAllowHeaders; >+ xhr.onerror = createOnErrorHandler(testCase.description, testNumber, shouldFail); >+ xhr.onload = createOnLoadHandler(testCase.description, testNumber, !shouldFail); > xhr.send(); > } > >diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php b/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php >index 284da9c4b11c5da7cc2ef0442b170c8e744a30be..7d735069cfed6664d2bc22f28b6ee63078da4c5d 100644 >--- a/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php >+++ b/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php >@@ -1,8 +1,14 @@ > <?php >-header('Access-Control-Allow-Origin: http://127.0.0.1:8000'); > >-if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' && isset($_GET['explicitlyAllowHeaders'])) { >- header('Access-Control-Allow-Methods: GET, OPTIONS'); >- header('Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language'); >+if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') { >+ if (!isset($_GET['shouldPreflight'])) { >+ return 404; >+ } >+ if (isset($_GET['explicitlyAllowHeaders'])) { >+ header('Access-Control-Allow-Methods: GET, OPTIONS'); >+ header('Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language'); >+ } > } >-?> >\ No newline at end of file >+header('Access-Control-Allow-Origin: http://127.0.0.1:8000'); >+ >+?>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=342451">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186533
: 342451