Bug 165508

Summary:

Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers

Product:

WebKit

Reporter:

sideshowbarker <mike>

Component:

Page Loading

Assignee:

Rob Buis <rbuis>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, annevk, ap, beidson, cdumez, commit-queue, dbates, ews-watchlist, fred.wang, japhet, lopezhector206, rbuis, rniwa, webkit-bug-importer, wilander, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Archive of layout-test-results from ews101 for mac-sierra	none
Archive of layout-test-results from ews107 for mac-sierra-wk2	none
Archive of layout-test-results from ews112 for mac-sierra	none
Archive of layout-test-results from ews121 for ios-simulator-wk2	none
Patch	none
Patch	none
Archive of layout-test-results from ews102 for mac-sierra	none
Archive of layout-test-results from ews104 for mac-sierra-wk2	none
Archive of layout-test-results from ews115 for mac-sierra	none
Patch	none
Archive of layout-test-results from ews103 for mac-sierra	none
Archive of layout-test-results from ews116 for mac-sierra	none
Patch	none
Patch	none
Patch	none
Patch	none
Archive of layout-test-results from ews211 for win-future	none
Patch	none

sideshowbarker

Reported 2016-12-06 19:35:41 PST

May 2016 change in the Fetch spec: https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c > Enable Access-Control-Expose-Headers, Access-Control-Allow-Methods, > and Access-Control-Allow-Headers to use a wildcard, with the same > restriction as placed upon wildcards in Access-Control-Allow-Origin. > Namely, it can only be used for requests where the credentials mode is "omit". > The Authorization header still needs to be explicitly listed by > Access-Control-Allow-Headers even with the wildcard. > This also makes the CORS cache wildcard-aware and updates some of the > terminology around CORS caches to share more concepts. The new syntax: Access-Control-Expose-Headers = #field-name / wildcard Access-Control-Allow-Methods = #method / wildcard Access-Control-Allow-Headers = #field-name-or-wildcard The difference between the Access-Control-Expose-Headers and Access-Control-Allow-Headers production is that the latter needs to be able to handle `*, Authorization` as header value whereas the former does not. Blink bug: https://bugs.chromium.org/p/chromium/issues/detail?id=615313 Gecko bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1309358

Attachments
Patch (5.84 KB, patch) 2018-11-25 13:09 PST, Rob Buis	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews101 for mac-sierra (2.43 MB, application/zip) 2018-11-25 14:12 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews107 for mac-sierra-wk2 (3.03 MB, application/zip) 2018-11-25 14:23 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews112 for mac-sierra (2.22 MB, application/zip) 2018-11-25 15:06 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews121 for ios-simulator-wk2 (2.58 MB, application/zip) 2018-11-25 15:14 PST, EWS Watchlist	no flags	Details
Patch (11.94 KB, patch) 2018-11-26 07:20 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (20.62 KB, patch) 2018-11-30 00:16 PST, Rob Buis	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews102 for mac-sierra (2.74 MB, application/zip) 2018-11-30 01:25 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews104 for mac-sierra-wk2 (2.97 MB, application/zip) 2018-11-30 01:35 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews115 for mac-sierra (1.99 MB, application/zip) 2018-11-30 02:16 PST, EWS Watchlist	no flags	Details
Patch (24.61 KB, patch) 2018-11-30 08:24 PST, Rob Buis	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews103 for mac-sierra (2.54 MB, application/zip) 2018-11-30 09:32 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews116 for mac-sierra (1.98 MB, application/zip) 2018-11-30 10:24 PST, EWS Watchlist	no flags	Details
Patch (26.94 KB, patch) 2018-11-30 11:45 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (12.04 KB, patch) 2018-12-07 08:53 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (11.86 KB, patch) 2018-12-18 06:30 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (11.84 KB, patch) 2019-06-08 10:38 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews211 for win-future (13.89 MB, application/zip) 2019-06-08 14:30 PDT, EWS Watchlist	no flags	Details
Patch (11.77 KB, patch) 2019-06-09 02:30 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Show Obsolete (8) View All Add attachment proposed patch, testcase, etc.

Rob Buis

Comment 1 2018-11-25 13:09:10 PST

Created attachment 355603 [details] Patch

EWS Watchlist

Comment 2 2018-11-25 14:12:34 PST

Comment on attachment 355603 [details] Patch Attachment 355603 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/10147623 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.html

EWS Watchlist

Comment 3 2018-11-25 14:12:36 PST

Created attachment 355604 [details] Archive of layout-test-results from ews101 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-sierra Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 4 2018-11-25 14:23:24 PST

Comment on attachment 355603 [details] Patch Attachment 355603 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/10147634 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.html

EWS Watchlist

Comment 5 2018-11-25 14:23:26 PST

Created attachment 355605 [details] Archive of layout-test-results from ews107 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 6 2018-11-25 15:06:09 PST

Comment on attachment 355603 [details] Patch Attachment 355603 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/10147672 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.html

EWS Watchlist

Comment 7 2018-11-25 15:06:11 PST

Created attachment 355610 [details] Archive of layout-test-results from ews112 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-sierra Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 8 2018-11-25 15:14:14 PST

Comment on attachment 355603 [details] Patch Attachment 355603 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/10147700 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.html

EWS Watchlist

Comment 9 2018-11-25 15:14:15 PST

Created attachment 355611 [details] Archive of layout-test-results from ews121 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews121 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.6

Rob Buis

Comment 10 2018-11-26 07:20:45 PST

Created attachment 355638 [details] Patch

Frédéric Wang (:fredw)

Comment 11 2018-11-26 10:53:57 PST

Comment on attachment 355638 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=355638&action=review > Source/WebCore/ChangeLog:10 > + add this to the check. Same for ccess-Control-Allow-Headers (step 6.7). Access-Control-Allow-Headers > Source/WebCore/loader/CrossOriginPreflightResultCache.cpp:86 > + if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) || isOnAccessControlSimpleRequestMethodWhitelist(method)) I wonder if this and the statement below can be factor out in a separate helper function. > Source/WebCore/loader/CrossOriginPreflightResultCache.cpp:98 > + if (!m_headers.contains(header.key) && !(m_headers.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse)) { it seems this check is independent of header, so we can probably hence calculate it only once and take this out of the loop.

Rob Buis

Comment 12 2018-11-30 00:16:53 PST

Created attachment 356153 [details] Patch

EWS Watchlist

Comment 13 2018-11-30 01:25:02 PST

Comment on attachment 356153 [details] Patch Attachment 356153 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/10211865 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker.html

EWS Watchlist

Comment 14 2018-11-30 01:25:04 PST

Created attachment 356162 [details] Archive of layout-test-results from ews102 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews102 Port: mac-sierra Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 15 2018-11-30 01:35:55 PST

Comment on attachment 356153 [details] Patch Attachment 356153 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/10211880 New failing tests: imported/w3c/web-platform-tests/service-workers/cache-storage/window/cache-match.https.html imported/w3c/web-platform-tests/service-workers/cache-storage/worker/cache-match.https.html imported/w3c/web-platform-tests/service-workers/service-worker/fetch-cors-exposed-header-names.https.html imported/w3c/web-platform-tests/service-workers/cache-storage/serviceworker/cache-match.https.html

EWS Watchlist

Comment 16 2018-11-30 01:35:57 PST

Created attachment 356163 [details] Archive of layout-test-results from ews104 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 17 2018-11-30 02:16:09 PST

Comment on attachment 356153 [details] Patch Attachment 356153 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/10212034 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker.html

EWS Watchlist

Comment 18 2018-11-30 02:16:11 PST

Created attachment 356165 [details] Archive of layout-test-results from ews115 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews115 Port: mac-sierra Platform: Mac OS X 10.12.6

Rob Buis

Comment 19 2018-11-30 08:24:06 PST

Created attachment 356179 [details] Patch

EWS Watchlist

Comment 20 2018-11-30 09:32:29 PST

Comment on attachment 356179 [details] Patch Attachment 356179 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/10215395 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker.html

EWS Watchlist

Comment 21 2018-11-30 09:32:31 PST

Created attachment 356187 [details] Archive of layout-test-results from ews103 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-sierra Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 22 2018-11-30 10:24:13 PST

Comment on attachment 356179 [details] Patch Attachment 356179 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/10215582 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker.html

EWS Watchlist

Comment 23 2018-11-30 10:24:15 PST

Created attachment 356193 [details] Archive of layout-test-results from ews116 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-sierra Platform: Mac OS X 10.12.6

Rob Buis

Comment 24 2018-11-30 11:45:55 PST

Created attachment 356209 [details] Patch

Rob Buis

Comment 25 2018-12-07 08:53:59 PST

Created attachment 356815 [details] Patch

Rob Buis

Comment 26 2018-12-07 09:58:44 PST

I noticed https://bugs.webkit.org/show_bug.cgi?id=169194 already tracks Access-Control-Expose-Headers wildcard support, so this bug can be restricted to Access-Control-Allow-Methods and Access-Control-Allow-Headers.

Frédéric Wang (:fredw)

Comment 27 2018-12-18 00:18:31 PST

Comment on attachment 356815 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=356815&action=review > Source/WebCore/ChangeLog:3 > + Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers I guess you can update the bug title then > Source/WebCore/ChangeLog:10 > + add this to the check. Same for ccess-Control-Allow-Headers (step 6.7). Again, A is missing at ccess-Control-Allow-Headers > Source/WebCore/loader/CrossOriginPreflightResultCache.cpp:86 > + if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) || isOnAccessControlSimpleRequestMethodWhitelist(method)) So StoredCredentialsPolicy is the same as the spec's credentials mode (https://fetch.spec.whatwg.org/#concept-request-credentials-mode)? If so then probably we should use the same name conventions in the future. Also, here and below steps 6.5 and 6.7 say we should really check that the credentials mode is not "include" i.e. storedCredentialsPolicy != StoredCredentialsPolicy::Use so that it still works when we have more than two values.

Rob Buis

Comment 28 2018-12-18 06:30:05 PST

Created attachment 357565 [details] Patch

Rob Buis

Comment 29 2019-06-08 10:38:45 PDT

Created attachment 371657 [details] Patch

EWS Watchlist

Comment 30 2019-06-08 14:30:41 PDT

Comment on attachment 371657 [details] Patch Attachment 371657 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/12419994 New failing tests: css3/filters/blur-various-radii.html imported/blink/fast/canvas/bug382588.html

EWS Watchlist

Comment 31 2019-06-08 14:30:44 PDT

Created attachment 371667 [details] Archive of layout-test-results from ews211 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews211 Port: win-future Platform: CYGWIN_NT-10.0-17763-3.0.5-338.x86_64-x86_64-64bit

Rob Buis

Comment 32 2019-06-09 02:30:11 PDT

Created attachment 371706 [details] Patch

WebKit Commit Bot

Comment 33 2019-06-09 04:55:34 PDT

Comment on attachment 371706 [details] Patch Clearing flags on attachment: 371706 Committed r246238: <https://trac.webkit.org/changeset/246238>

WebKit Commit Bot

Comment 34 2019-06-09 04:55:36 PDT

All reviewed patches have been landed. Closing bug.

Radar WebKit Bug Importer

Comment 35 2019-06-09 04:57:30 PDT

<rdar://problem/51560580>

youenn fablet

Comment 36 2019-08-20 02:31:38 PDT

*** Bug 169194 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.