Changeset 246238 in webkit

Timestamp:

Jun 9, 2019 4:55:29 AM (5 years ago)

Author:

commit-queue@webkit.org

Message:

Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers
​https://bugs.webkit.org/show_bug.cgi?id=165508

Patch by Rob Buis <​rbuis@igalia.com> on 2019-06-09
Reviewed by Frédéric Wang.

LayoutTests/imported/w3c:

• web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt:
• web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt:

Source/WebCore:

According to the spec [1] step 6.5, a wildcard for method
and request's credentials mode should be taken into account, so
add this to the check. Same for Access-Control-Allow-Headers (step 6.7).

[1] ​https://fetch.spec.whatwg.org/#cors-preflight-fetch

Tests: web-platform-tests/fetch/api/cors/cors-preflight-star.any.html

web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html

• loader/CrossOriginAccessControl.cpp:

(WebCore::validatePreflightResponse):

• loader/CrossOriginPreflightResultCache.cpp:

(WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod const):
(WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders const):
(WebCore::CrossOriginPreflightResultCacheItem::allowsRequest const):

• loader/CrossOriginPreflightResultCache.h:

Location:

trunk

Files:

• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/CrossOriginAccessControl.cpp (modified) (1 diff)
• Source/WebCore/loader/CrossOriginPreflightResultCache.cpp (modified) (3 diffs)
• Source/WebCore/loader/CrossOriginPreflightResultCache.h (modified) (1 diff)

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2019-06-09  Rob Buis  <rbuis@igalia.com>
+
+        Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers
+        https://bugs.webkit.org/show_bug.cgi?id=165508
+
+        Reviewed by Frédéric Wang.
+
+        * web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt:
+
 2019-06-07  Joonghun Park  <jh718.park@samsung.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods.
-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=x-test& due to access control checks.
-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.
-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=*& due to access control checks.
 CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.
 CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=*&allow_headers=*& due to access control checks.
@@ -15 +11 @@
 
 PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) 
-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods."
-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods."
+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) 
+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) 
 PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) 
 PASS CORS that fails with credentials: true; method: PUT (allowed: *); header:  (allowed: ) 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods.
-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.
 CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.
 CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods.
@@ -8 +6 @@
 
 PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) 
-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods."
-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods."
+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) 
+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) 
 PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) 
 PASS CORS that fails with credentials: true; method: PUT (allowed: *); header:  (allowed: ) 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-06-09  Rob Buis  <rbuis@igalia.com>
+
+        Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers
+        https://bugs.webkit.org/show_bug.cgi?id=165508
+
+        Reviewed by Frédéric Wang.
+
+        According to the spec [1] step 6.5, a wildcard for method
+        and request's credentials mode should be taken into account, so
+        add this to the check. Same for Access-Control-Allow-Headers (step 6.7).
+
+        [1] https://fetch.spec.whatwg.org/#cors-preflight-fetch
+
+        Tests: web-platform-tests/fetch/api/cors/cors-preflight-star.any.html
+               web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html
+
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::validatePreflightResponse):
+        * loader/CrossOriginPreflightResultCache.cpp:
+        (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod const):
+        (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders const):
+        (WebCore::CrossOriginPreflightResultCacheItem::allowsRequest const):
+        * loader/CrossOriginPreflightResultCache.h:
+
 2019-06-08  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

@@ -208 +208 @@
     auto result = std::make_unique<CrossOriginPreflightResultCacheItem>(storedCredentialsPolicy);
     if (!result->parse(response)
-        || !result->allowsCrossOriginMethod(request.httpMethod(), errorDescription)
-        || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), errorDescription)) {
+        || !result->allowsCrossOriginMethod(request.httpMethod(), storedCredentialsPolicy, errorDescription)
+        || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), storedCredentialsPolicy, errorDescription)) {
         return false;
     }

trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp

@@ -69 +69 @@
 }
 
-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, String& errorDescription) const
+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const
 {
-    if (m_methods.contains(method) || isOnAccessControlSimpleRequestMethodWhitelist(method))
+    if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use) || isOnAccessControlSimpleRequestMethodWhitelist(method))
         return true;
 
@@ -78 +78 @@
 }
 
-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, String& errorDescription) const
+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const
 {
+    bool validWildcard = m_headers.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use;
     for (const auto& header : requestHeaders) {
         if (header.keyAsHTTPHeaderName && isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value))
             continue;
-        if (!m_headers.contains(header.key)) {
+        if (!m_headers.contains(header.key) && !validWildcard) {
             errorDescription = "Request header field " + header.key + " is not allowed by Access-Control-Allow-Headers.";
             return false;
@@ -98 +99 @@
     if (storedCredentialsPolicy == StoredCredentialsPolicy::Use && m_storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse)
         return false;
-    if (!allowsCrossOriginMethod(method, ignoredExplanation))
+    if (!allowsCrossOriginMethod(method, storedCredentialsPolicy, ignoredExplanation))
         return false;
-    if (!allowsCrossOriginHeaders(requestHeaders, ignoredExplanation))
+    if (!allowsCrossOriginHeaders(requestHeaders, storedCredentialsPolicy, ignoredExplanation))
         return false;
     return true;

trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.h

@@ -47 +47 @@
 
     WEBCORE_EXPORT bool parse(const ResourceResponse&);
-    WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, String& errorDescription) const;
-    WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, String& errorDescription) const;
+    WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const;
+    WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const;
     bool allowsRequest(StoredCredentialsPolicy, const String& method, const HTTPHeaderMap& requestHeaders) const;