Changeset 210077 in webkit
- Timestamp:
- Dec 21, 2016 2:06:22 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r210072 r210077 1 2016-12-21 John Wilander <wilander@apple.com> 2 3 Switch to a blacklist model for restricted Accept headers in simple CORS requests 4 https://bugs.webkit.org/show_bug.cgi?id=166363 5 6 Reviewed by Alex Christensen. 7 8 * http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt: 9 * http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html: 10 1 11 2016-12-21 Wenson Hsieh <wenson_hsieh@apple.com> 2 12 -
trunk/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt
r209261 r210077 4 4 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Content-Language is not allowed by Access-Control-Allow-Headers. 5 5 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 6 PASS Accept header with normal value SHOULD NOT cause a preflight 7 PASS Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight 8 PASS Accept-Language header with normal value SHOULD NOT cause a preflight 6 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 7 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 8 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 9 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 10 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 11 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 12 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 13 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 14 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 15 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 16 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 17 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 18 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers. 19 PASS Accept header value 'application/json,text/*,*/*' SHOULD NOT cause a preflight 20 PASS Accept header with normal value 'application/vnd.api+json' SHOULD NOT cause a preflight 21 PASS Accept header with normal value 'text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c' SHOULD NOT cause a preflight 22 PASS Accept header with normal value 'text/*;q=0.3, text/html;q=0.7, text/html;level=1, text/html;level=2;q=0.4, */*;q=0.5' SHOULD NOT cause a preflight 23 PASS Accept header value with all allowed delimiter characters SHOULD NOT cause a preflight 24 PASS Accept-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight 25 PASS Accept-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight 9 26 PASS Accept-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight 10 PASS Content-Language header with normal value SHOULD NOT cause a preflight 27 PASS Content-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight 28 PASS Content-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight 11 29 PASS Content-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight 12 30 PASS Accept header with abnormal value SHOULD cause a preflight … … 19 37 PASS Accept header with normal value, Accept-Language header with normal value, Content-Language header with abnormal value, and explicitly allowed headers SHOULD be allowed 20 38 PASS Accept header with normal value, then another Accept header with abnormal value, and explicitly allowed headers SHOULD be allowed 39 PASS Accept header with disallowed delimiter '"' SHOULD cause a preflight 40 PASS Accept header with disallowed delimiter '(' SHOULD cause a preflight 41 PASS Accept header with disallowed delimiter ')' SHOULD cause a preflight 42 PASS Accept header with disallowed delimiter ':' SHOULD cause a preflight 43 PASS Accept header with disallowed delimiter '<' SHOULD cause a preflight 44 PASS Accept header with disallowed delimiter '>' SHOULD cause a preflight 45 PASS Accept header with disallowed delimiter '?' SHOULD cause a preflight 46 PASS Accept header with disallowed delimiter '@' SHOULD cause a preflight 47 PASS Accept header with disallowed delimiter '[' SHOULD cause a preflight 48 PASS Accept header with disallowed delimiter '\' SHOULD cause a preflight 49 PASS Accept header with disallowed delimiter ']' SHOULD cause a preflight 50 PASS Accept header with disallowed delimiter '{' SHOULD cause a preflight 51 PASS Accept header with disallowed delimiter '}' SHOULD cause a preflight 21 52 -
trunk/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html
r209510 r210077 35 35 36 36 var abnormalSimpleCorsHeaderValue = "() { :;};" 37 var allAllowedNonAlphanumericCharactersForAcceptHeader = " *,./;=" 37 var allAllowedDelimiterCharactersForAcceptHeader = ",/;=" 38 var allDisallowedDelimiterCharactersForAcceptHeader = ['"', '(', ')', ':', '<', '>', '?', '@', '[', '\\', ']', '{', '}']; 38 39 var allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader = " *,-.;=" 39 40 var testCases = [ … … 43 44 explicitlyAllowHeaders: false, 44 45 shouldCausePreflight: false, 45 description: "Accept header with normal value SHOULD NOT cause a preflight" 46 } 47 ,{ 48 headersToAdd: [{ name : "Accept", value: allAllowedNonAlphanumericCharactersForAcceptHeader }], 49 explicitlyAllowHeaders: false, 50 shouldCausePreflight: false, 51 description: "Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight" 46 description: "Accept header value 'application/json,text/*,*/*' SHOULD NOT cause a preflight" 47 } 48 ,{ 49 headersToAdd: [{ name : "Accept", value: "application/vnd.api+json" }], 50 explicitlyAllowHeaders: false, 51 shouldCausePreflight: false, 52 description: "Accept header with normal value 'application/vnd.api+json' SHOULD NOT cause a preflight" 53 } 54 ,{ 55 headersToAdd: [{ name : "Accept", value: "text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c" }], 56 explicitlyAllowHeaders: false, 57 shouldCausePreflight: false, 58 description: "Accept header with normal value 'text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c' SHOULD NOT cause a preflight" 59 } 60 ,{ 61 headersToAdd: [{ name : "Accept", value: "text/*;q=0.3, text/html;q=0.7, text/html;level=1, text/html;level=2;q=0.4, */*;q=0.5" }], 62 explicitlyAllowHeaders: false, 63 shouldCausePreflight: false, 64 description: "Accept header with normal value 'text/*;q=0.3, text/html;q=0.7, text/html;level=1, text/html;level=2;q=0.4, */*;q=0.5' SHOULD NOT cause a preflight" 65 } 66 ,{ 67 headersToAdd: [{ name : "Accept", value: allAllowedDelimiterCharactersForAcceptHeader }], 68 explicitlyAllowHeaders: false, 69 shouldCausePreflight: false, 70 description: "Accept header value with all allowed delimiter characters SHOULD NOT cause a preflight" 52 71 } 53 72 ,{ … … 55 74 explicitlyAllowHeaders: false, 56 75 shouldCausePreflight: false, 57 description: "Accept-Language header with normal value SHOULD NOT cause a preflight" 76 description: "Accept-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight" 77 } 78 ,{ 79 headersToAdd: [{ name : "Accept-Language", value: "zh-Latn-CN-variant1-a-extend1-x-wadegile-private1" }], 80 explicitlyAllowHeaders: false, 81 shouldCausePreflight: false, 82 description: "Accept-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight" 58 83 } 59 84 ,{ … … 64 89 } 65 90 ,{ 66 headersToAdd: [{ name : "Content-Language", value: "en" }], 67 explicitlyAllowHeaders: false, 68 shouldCausePreflight: false, 69 description: "Content-Language header with normal value SHOULD NOT cause a preflight" 91 headersToAdd: [{ name : "Content-Language", value: "en-US,en;q=0.8" }], 92 explicitlyAllowHeaders: false, 93 shouldCausePreflight: false, 94 description: "Content-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight" 95 } 96 ,{ 97 headersToAdd: [{ name : "Content-Language", value: "zh-Latn-CN-variant1-a-extend1-x-wadegile-private1" }], 98 explicitlyAllowHeaders: false, 99 shouldCausePreflight: false, 100 description: "Content-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight" 70 101 } 71 102 ,{ … … 132 163 } 133 164 ]; 165 166 // Individual negative test cases for each disallowed delimiter character in Accept header values. 167 for (var i = 0; i < allDisallowedDelimiterCharactersForAcceptHeader.length; i++) { 168 var disallowedDelimiter = allDisallowedDelimiterCharactersForAcceptHeader[i]; 169 testCases.push( 170 { 171 headersToAdd: [{ name : "Accept", value: disallowedDelimiter }], 172 explicitlyAllowHeaders: false, 173 shouldCausePreflight: true, 174 description: "Accept header with disallowed delimiter '" + disallowedDelimiter + "' SHOULD cause a preflight" 175 } 176 ); 177 } 134 178 135 179 function runTestCase(testNumber) { -
trunk/Source/WebCore/ChangeLog
r210075 r210077 1 2016-12-21 John Wilander <wilander@apple.com> 2 3 Switch to a blacklist model for restricted Accept headers in simple CORS requests 4 https://bugs.webkit.org/show_bug.cgi?id=166363 5 6 Reviewed by Alex Christensen. 7 8 Updated existing tests. 9 10 * platform/network/HTTPParsers.cpp: 11 (WebCore::isDelimiterCharacter): 12 Convenience function for checking delimiter characters according to: 13 https://tools.ietf.org/html/rfc7230#section-3.2.6 14 (WebCore::isValidAcceptHeaderValue): 15 Now uses WebCore::isDelimiterCharacter() to blacklist delimiter characters 16 instead of a whitelist of accepted non-alphanumeric characters. 17 1 18 2016-12-21 Beth Dakin <bdakin@apple.com> 2 19 -
trunk/Source/WebCore/platform/network/HTTPParsers.cpp
r209510 r210077 128 128 } 129 129 130 // See RFC 7231, Section 5.3.2 130 // See RFC 7230, Section 3.2.6. 131 static bool isDelimiterCharacter(const UChar c) 132 { 133 // DQUOTE and "(),/:;<=>?@[\]{}" 134 return (c == '"' || c == '(' || c == ')' || c == ',' || c == '/' || c == ':' || c == ';' 135 || c == '<' || c == '=' || c == '>' || c == '?' || c == '@' || c == '[' || c == '\\' 136 || c == ']' || c == '{' || c == '}'); 137 } 138 139 // See RFC 7231, Section 5.3.2. 131 140 bool isValidAcceptHeaderValue(const String& value) 132 141 { 133 142 for (unsigned i = 0; i < value.length(); ++i) { 134 143 UChar c = value[i]; 135 if (isASCIIAlphanumeric(c) || c == ' ' || c == '*' || c == ',' || c == '.' || c == '/' || c == ';' || c == '=') 144 // First check for alphanumeric for performance reasons then whitelist four delimiter characters. 145 if (isASCIIAlphanumeric(c) || c == ',' || c == '/' || c == ';' || c == '=') 136 146 continue; 137 return false; 147 if (isDelimiterCharacter(c)) 148 return false; 138 149 } 139 150 … … 141 152 } 142 153 143 // See RFC 7231, Section 5.3.5 and 3.1.3.2 154 // See RFC 7231, Section 5.3.5 and 3.1.3.2. 144 155 bool isValidLanguageHeaderValue(const String& value) 145 156 {
Note: See TracChangeset
for help on using the changeset viewer.