Bug 231174 - CORS: Allow particular Range header values without a preflight
Summary: CORS: Allow particular Range header values without a preflight
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-10-04 09:10 PDT by Jake Archibald
Modified: 2022-04-04 10:08 PDT (History)
10 users (show)

See Also:


Attachments
Patch (10.30 KB, patch)
2022-04-04 01:14 PDT, youenn fablet
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jake Archibald 2021-10-04 09:10:15 PDT
Spec discussion: https://github.com/whatwg/fetch/issues/1310
Spec PR: https://github.com/whatwg/fetch/pull/1312
Tests PR: https://github.com/web-platform-tests/wpt/pull/31058

`Range` was added as a safe-listed header as long as the value is in a particular format, which aligns with formats the browser uses when requesting media and resuming downloads.
Comment 1 Radar WebKit Bug Importer 2021-10-11 09:11:19 PDT
<rdar://problem/84101544>
Comment 2 jon.ronnenberg 2022-04-03 15:21:51 PDT
CORS-safelisted request-header:
https://fetch.spec.whatwg.org/#cors-safelisted-request-header

Allowed particular Range header values (simple range header value):
https://fetch.spec.whatwg.org/#simple-range-header-value

Examples:

Range:bytes=0-255

Range:bytes=255-
Comment 3 youenn fablet 2022-04-04 01:14:35 PDT
Created attachment 456547 [details]
Patch
Comment 4 EWS Watchlist 2022-04-04 01:16:02 PDT
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Comment 5 youenn fablet 2022-04-04 01:21:09 PDT
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/33488
Comment 6 Alex Christensen 2022-04-04 09:33:05 PDT
Comment on attachment 456547 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456547&action=review

> LayoutTests/imported/w3c/web-platform-tests/fetch/range/general.any.js:129
> +    'bytes=00000000000000000000000000000000000000000000000000000000011-00000000000000000000000000000000000000000000000000000000000111',

This isn't 128 bytes.  Let's add such a test.
Comment 7 youenn fablet 2022-04-04 09:43:32 PDT
Comment on attachment 456547 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456547&action=review

>> LayoutTests/imported/w3c/web-platform-tests/fetch/range/general.any.js:129
>> +    'bytes=00000000000000000000000000000000000000000000000000000000011-00000000000000000000000000000000000000000000000000000000000111',
> 
> This isn't 128 bytes.  Let's add such a test.

I think this is 128 bytes, the other one above should be 129 and fail.
Comment 8 EWS 2022-04-04 10:08:34 PDT
Committed r292293 (249191@main): <https://commits.webkit.org/249191@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 456547 [details].