WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
165508
Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers
https://bugs.webkit.org/show_bug.cgi?id=165508
Summary
Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers
sideshowbarker
Reported
2016-12-06 19:35:41 PST
May 2016 change in the Fetch spec:
https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c
> Enable Access-Control-Expose-Headers, Access-Control-Allow-Methods, > and Access-Control-Allow-Headers to use a wildcard, with the same > restriction as placed upon wildcards in Access-Control-Allow-Origin. > Namely, it can only be used for requests where the credentials mode is "omit".
> The Authorization header still needs to be explicitly listed by > Access-Control-Allow-Headers even with the wildcard.
> This also makes the CORS cache wildcard-aware and updates some of the > terminology around CORS caches to share more concepts.
The new syntax: Access-Control-Expose-Headers = #field-name / wildcard Access-Control-Allow-Methods = #method / wildcard Access-Control-Allow-Headers = #field-name-or-wildcard The difference between the Access-Control-Expose-Headers and Access-Control-Allow-Headers production is that the latter needs to be able to handle `*, Authorization` as header value whereas the former does not. Blink bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=615313
Gecko bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1309358
Attachments
Patch
(5.84 KB, patch)
2018-11-25 13:09 PST
,
Rob Buis
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ews101 for mac-sierra
(2.43 MB, application/zip)
2018-11-25 14:12 PST
,
EWS Watchlist
no flags
Details
Archive of layout-test-results from ews107 for mac-sierra-wk2
(3.03 MB, application/zip)
2018-11-25 14:23 PST
,
EWS Watchlist
no flags
Details
Archive of layout-test-results from ews112 for mac-sierra
(2.22 MB, application/zip)
2018-11-25 15:06 PST
,
EWS Watchlist
no flags
Details
Archive of layout-test-results from ews121 for ios-simulator-wk2
(2.58 MB, application/zip)
2018-11-25 15:14 PST
,
EWS Watchlist
no flags
Details
Patch
(11.94 KB, patch)
2018-11-26 07:20 PST
,
Rob Buis
no flags
Details
Formatted Diff
Diff
Patch
(20.62 KB, patch)
2018-11-30 00:16 PST
,
Rob Buis
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ews102 for mac-sierra
(2.74 MB, application/zip)
2018-11-30 01:25 PST
,
EWS Watchlist
no flags
Details
Archive of layout-test-results from ews104 for mac-sierra-wk2
(2.97 MB, application/zip)
2018-11-30 01:35 PST
,
EWS Watchlist
no flags
Details
Archive of layout-test-results from ews115 for mac-sierra
(1.99 MB, application/zip)
2018-11-30 02:16 PST
,
EWS Watchlist
no flags
Details
Patch
(24.61 KB, patch)
2018-11-30 08:24 PST
,
Rob Buis
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ews103 for mac-sierra
(2.54 MB, application/zip)
2018-11-30 09:32 PST
,
EWS Watchlist
no flags
Details
Archive of layout-test-results from ews116 for mac-sierra
(1.98 MB, application/zip)
2018-11-30 10:24 PST
,
EWS Watchlist
no flags
Details
Patch
(26.94 KB, patch)
2018-11-30 11:45 PST
,
Rob Buis
no flags
Details
Formatted Diff
Diff
Patch
(12.04 KB, patch)
2018-12-07 08:53 PST
,
Rob Buis
no flags
Details
Formatted Diff
Diff
Patch
(11.86 KB, patch)
2018-12-18 06:30 PST
,
Rob Buis
no flags
Details
Formatted Diff
Diff
Patch
(11.84 KB, patch)
2019-06-08 10:38 PDT
,
Rob Buis
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ews211 for win-future
(13.89 MB, application/zip)
2019-06-08 14:30 PDT
,
EWS Watchlist
no flags
Details
Patch
(11.77 KB, patch)
2019-06-09 02:30 PDT
,
Rob Buis
no flags
Details
Formatted Diff
Diff
Show Obsolete
(8)
View All
Add attachment
proposed patch, testcase, etc.
Rob Buis
Comment 1
2018-11-25 13:09:10 PST
Created
attachment 355603
[details]
Patch
EWS Watchlist
Comment 2
2018-11-25 14:12:34 PST
Comment on
attachment 355603
[details]
Patch
Attachment 355603
[details]
did not pass mac-ews (mac): Output:
https://webkit-queues.webkit.org/results/10147623
New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.html
EWS Watchlist
Comment 3
2018-11-25 14:12:36 PST
Created
attachment 355604
[details]
Archive of layout-test-results from ews101 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-sierra Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 4
2018-11-25 14:23:24 PST
Comment on
attachment 355603
[details]
Patch
Attachment 355603
[details]
did not pass mac-wk2-ews (mac-wk2): Output:
https://webkit-queues.webkit.org/results/10147634
New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.html
EWS Watchlist
Comment 5
2018-11-25 14:23:26 PST
Created
attachment 355605
[details]
Archive of layout-test-results from ews107 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 6
2018-11-25 15:06:09 PST
Comment on
attachment 355603
[details]
Patch
Attachment 355603
[details]
did not pass mac-debug-ews (mac): Output:
https://webkit-queues.webkit.org/results/10147672
New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.html
EWS Watchlist
Comment 7
2018-11-25 15:06:11 PST
Created
attachment 355610
[details]
Archive of layout-test-results from ews112 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-sierra Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 8
2018-11-25 15:14:14 PST
Comment on
attachment 355603
[details]
Patch
Attachment 355603
[details]
did not pass ios-sim-ews (ios-simulator-wk2): Output:
https://webkit-queues.webkit.org/results/10147700
New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.html
EWS Watchlist
Comment 9
2018-11-25 15:14:15 PST
Created
attachment 355611
[details]
Archive of layout-test-results from ews121 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews121 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.6
Rob Buis
Comment 10
2018-11-26 07:20:45 PST
Created
attachment 355638
[details]
Patch
Frédéric Wang (:fredw)
Comment 11
2018-11-26 10:53:57 PST
Comment on
attachment 355638
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=355638&action=review
> Source/WebCore/ChangeLog:10 > + add this to the check. Same for ccess-Control-Allow-Headers (step 6.7).
Access-Control-Allow-Headers
> Source/WebCore/loader/CrossOriginPreflightResultCache.cpp:86 > + if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) || isOnAccessControlSimpleRequestMethodWhitelist(method))
I wonder if this and the statement below can be factor out in a separate helper function.
> Source/WebCore/loader/CrossOriginPreflightResultCache.cpp:98 > + if (!m_headers.contains(header.key) && !(m_headers.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse)) {
it seems this check is independent of header, so we can probably hence calculate it only once and take this out of the loop.
Rob Buis
Comment 12
2018-11-30 00:16:53 PST
Created
attachment 356153
[details]
Patch
EWS Watchlist
Comment 13
2018-11-30 01:25:02 PST
Comment on
attachment 356153
[details]
Patch
Attachment 356153
[details]
did not pass mac-ews (mac): Output:
https://webkit-queues.webkit.org/results/10211865
New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker.html
EWS Watchlist
Comment 14
2018-11-30 01:25:04 PST
Created
attachment 356162
[details]
Archive of layout-test-results from ews102 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews102 Port: mac-sierra Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 15
2018-11-30 01:35:55 PST
Comment on
attachment 356153
[details]
Patch
Attachment 356153
[details]
did not pass mac-wk2-ews (mac-wk2): Output:
https://webkit-queues.webkit.org/results/10211880
New failing tests: imported/w3c/web-platform-tests/service-workers/cache-storage/window/cache-match.https.html imported/w3c/web-platform-tests/service-workers/cache-storage/worker/cache-match.https.html imported/w3c/web-platform-tests/service-workers/service-worker/fetch-cors-exposed-header-names.https.html imported/w3c/web-platform-tests/service-workers/cache-storage/serviceworker/cache-match.https.html
EWS Watchlist
Comment 16
2018-11-30 01:35:57 PST
Created
attachment 356163
[details]
Archive of layout-test-results from ews104 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 17
2018-11-30 02:16:09 PST
Comment on
attachment 356153
[details]
Patch
Attachment 356153
[details]
did not pass mac-debug-ews (mac): Output:
https://webkit-queues.webkit.org/results/10212034
New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker.html
EWS Watchlist
Comment 18
2018-11-30 02:16:11 PST
Created
attachment 356165
[details]
Archive of layout-test-results from ews115 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews115 Port: mac-sierra Platform: Mac OS X 10.12.6
Rob Buis
Comment 19
2018-11-30 08:24:06 PST
Created
attachment 356179
[details]
Patch
EWS Watchlist
Comment 20
2018-11-30 09:32:29 PST
Comment on
attachment 356179
[details]
Patch
Attachment 356179
[details]
did not pass mac-ews (mac): Output:
https://webkit-queues.webkit.org/results/10215395
New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker.html
EWS Watchlist
Comment 21
2018-11-30 09:32:31 PST
Created
attachment 356187
[details]
Archive of layout-test-results from ews103 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-sierra Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 22
2018-11-30 10:24:13 PST
Comment on
attachment 356179
[details]
Patch
Attachment 356179
[details]
did not pass mac-debug-ews (mac): Output:
https://webkit-queues.webkit.org/results/10215582
New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-expose-star.sub.any.worker.html
EWS Watchlist
Comment 23
2018-11-30 10:24:15 PST
Created
attachment 356193
[details]
Archive of layout-test-results from ews116 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-sierra Platform: Mac OS X 10.12.6
Rob Buis
Comment 24
2018-11-30 11:45:55 PST
Created
attachment 356209
[details]
Patch
Rob Buis
Comment 25
2018-12-07 08:53:59 PST
Created
attachment 356815
[details]
Patch
Rob Buis
Comment 26
2018-12-07 09:58:44 PST
I noticed
https://bugs.webkit.org/show_bug.cgi?id=169194
already tracks Access-Control-Expose-Headers wildcard support, so this bug can be restricted to Access-Control-Allow-Methods and Access-Control-Allow-Headers.
Frédéric Wang (:fredw)
Comment 27
2018-12-18 00:18:31 PST
Comment on
attachment 356815
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=356815&action=review
> Source/WebCore/ChangeLog:3 > + Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers
I guess you can update the bug title then
> Source/WebCore/ChangeLog:10 > + add this to the check. Same for ccess-Control-Allow-Headers (step 6.7).
Again, A is missing at ccess-Control-Allow-Headers
> Source/WebCore/loader/CrossOriginPreflightResultCache.cpp:86 > + if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) || isOnAccessControlSimpleRequestMethodWhitelist(method))
So StoredCredentialsPolicy is the same as the spec's credentials mode (
https://fetch.spec.whatwg.org/#concept-request-credentials-mode
)? If so then probably we should use the same name conventions in the future. Also, here and below steps 6.5 and 6.7 say we should really check that the credentials mode is not "include" i.e. storedCredentialsPolicy != StoredCredentialsPolicy::Use so that it still works when we have more than two values.
Rob Buis
Comment 28
2018-12-18 06:30:05 PST
Created
attachment 357565
[details]
Patch
Rob Buis
Comment 29
2019-06-08 10:38:45 PDT
Created
attachment 371657
[details]
Patch
EWS Watchlist
Comment 30
2019-06-08 14:30:41 PDT
Comment on
attachment 371657
[details]
Patch
Attachment 371657
[details]
did not pass win-ews (win): Output:
https://webkit-queues.webkit.org/results/12419994
New failing tests: css3/filters/blur-various-radii.html imported/blink/fast/canvas/bug382588.html
EWS Watchlist
Comment 31
2019-06-08 14:30:44 PDT
Created
attachment 371667
[details]
Archive of layout-test-results from ews211 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews211 Port: win-future Platform: CYGWIN_NT-10.0-17763-3.0.5-338.x86_64-x86_64-64bit
Rob Buis
Comment 32
2019-06-09 02:30:11 PDT
Created
attachment 371706
[details]
Patch
WebKit Commit Bot
Comment 33
2019-06-09 04:55:34 PDT
Comment on
attachment 371706
[details]
Patch Clearing flags on attachment: 371706 Committed
r246238
: <
https://trac.webkit.org/changeset/246238
>
WebKit Commit Bot
Comment 34
2019-06-09 04:55:36 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 35
2019-06-09 04:57:30 PDT
<
rdar://problem/51560580
>
youenn fablet
Comment 36
2019-08-20 02:31:38 PDT
***
Bug 169194
has been marked as a duplicate of this bug. ***
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug