RESOLVED FIXED Bug 208924
Make sure a preflight fails if response headers are invalid 
https://bugs.webkit.org/show_bug.cgi?id=208924
Summary Make sure a preflight fails if response headers are invalid
youenn fablet
Reported 2020-03-11 10:04:00 PDT
Make sure a preflight fails if response headers are invalid
Attachments
Patch (14.59 KB, patch)
2020-03-11 10:35 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (14.59 KB, patch)
2020-03-12 02:56 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (17.64 KB, patch)
2020-03-12 05:51 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch for landing (17.43 KB, patch)
2020-03-18 05:51 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2020-03-11 10:35:03 PDT
Created attachment 393260 [details] Patch
youenn fablet
Comment 2 2020-03-12 02:56:15 PDT
Created attachment 393351 [details] Patch
youenn fablet
Comment 3 2020-03-12 05:51:00 PDT
Created attachment 393362 [details] Patch
youenn fablet
Comment 4 2020-03-13 10:44:26 PDT
Ping review
Alex Christensen
Comment 5 2020-03-16 11:44:57 PDT
Comment on attachment 393362 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393362&action=review > Source/WebCore/ChangeLog:11 > + Minor refactoring to return Expected/Optional for erro rhandlng instead of passing an out parameter. error > Source/WebCore/loader/CrossOriginAccessControl.cpp:273 > + CrossOriginPreflightResultCache::singleton().appendEntry(securityOrigin.toString(), request.url(), entry.moveToUniquePtr()); Do we want to do this if there was an error? We didn't before. > Source/WebCore/loader/CrossOriginPreflightResultCache.h:54 > + bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const; > + bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const; These should return Expected<void, String> instead of having an out parameter.
youenn fablet
Comment 6 2020-03-16 12:02:26 PDT
CrossOriginPreflightResultCache::singleton().appendEntry(securityOrigin.toString(), request.url(), entry.moveToUniquePtr()); > > Do we want to do this if there was an error? We didn't before. Yes, I think so, this is explained in the change log > > Source/WebCore/loader/CrossOriginPreflightResultCache.h:54 > > + bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const; > > + bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const; > > These should return Expected<void, String> instead of having an out > parameter. Sure, this is preexisting and could be dealt with as a follow-up. This patch moves these method from public to private so that at least we do not make this pattern more widespread.
youenn fablet
Comment 7 2020-03-18 05:51:52 PDT
Created attachment 393838 [details] Patch for landing
youenn fablet
Comment 8 2020-03-18 07:43:52 PDT
> Sure, this is preexisting and could be dealt with as a follow-up. > This patch moves these method from public to private so that at least we do > not make this pattern more widespread. https://bugs.webkit.org/show_bug.cgi?id=209224
WebKit Commit Bot
Comment 9 2020-03-18 07:49:42 PDT
Comment on attachment 393838 [details] Patch for landing Clearing flags on attachment: 393838 Committed r258631: <https://trac.webkit.org/changeset/258631>
WebKit Commit Bot
Comment 10 2020-03-18 07:49:44 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 11 2020-03-18 07:50:14 PDT
<rdar://problem/60584210>
Note You need to log in before you can comment on or make changes to this bug.