Changeset 246238 in webkit
- Timestamp:
- Jun 9, 2019 4:55:29 AM (5 years ago)
- Location:
- trunk
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/imported/w3c/ChangeLog
r246193 r246238 1 2019-06-09 Rob Buis <rbuis@igalia.com> 2 3 Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers 4 https://bugs.webkit.org/show_bug.cgi?id=165508 5 6 Reviewed by Frédéric Wang. 7 8 * web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt: 9 * web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt: 10 1 11 2019-06-07 Joonghun Park <jh718.park@samsung.com> 2 12 -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt
r231000 r246238 1 CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods.2 CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=x-test& due to access control checks.3 CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.4 CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=*& due to access control checks.5 1 CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. 6 2 CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=*&allow_headers=*& due to access control checks. … … 15 11 16 12 PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) 17 FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods." 18 FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods." 13 PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) 14 PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) 19 15 PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) 20 16 PASS CORS that fails with credentials: true; method: PUT (allowed: *); header: (allowed: ) -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt
r231000 r246238 1 CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods.2 CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.3 1 CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods. 4 2 CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods. … … 8 6 9 7 PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) 10 FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods." 11 FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods." 8 PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) 9 PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) 12 10 PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) 13 11 PASS CORS that fails with credentials: true; method: PUT (allowed: *); header: (allowed: ) -
trunk/Source/WebCore/ChangeLog
r246234 r246238 1 2019-06-09 Rob Buis <rbuis@igalia.com> 2 3 Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-Headers 4 https://bugs.webkit.org/show_bug.cgi?id=165508 5 6 Reviewed by Frédéric Wang. 7 8 According to the spec [1] step 6.5, a wildcard for method 9 and request's credentials mode should be taken into account, so 10 add this to the check. Same for Access-Control-Allow-Headers (step 6.7). 11 12 [1] https://fetch.spec.whatwg.org/#cors-preflight-fetch 13 14 Tests: web-platform-tests/fetch/api/cors/cors-preflight-star.any.html 15 web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html 16 17 * loader/CrossOriginAccessControl.cpp: 18 (WebCore::validatePreflightResponse): 19 * loader/CrossOriginPreflightResultCache.cpp: 20 (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod const): 21 (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders const): 22 (WebCore::CrossOriginPreflightResultCacheItem::allowsRequest const): 23 * loader/CrossOriginPreflightResultCache.h: 24 1 25 2019-06-08 Zalan Bujtas <zalan@apple.com> 2 26 -
trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp
r242899 r246238 208 208 auto result = std::make_unique<CrossOriginPreflightResultCacheItem>(storedCredentialsPolicy); 209 209 if (!result->parse(response) 210 || !result->allowsCrossOriginMethod(request.httpMethod(), errorDescription)211 || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), errorDescription)) {210 || !result->allowsCrossOriginMethod(request.httpMethod(), storedCredentialsPolicy, errorDescription) 211 || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), storedCredentialsPolicy, errorDescription)) { 212 212 return false; 213 213 } -
trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp
r239372 r246238 69 69 } 70 70 71 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, St ring& errorDescription) const71 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const 72 72 { 73 if (m_methods.contains(method) || isOnAccessControlSimpleRequestMethodWhitelist(method))73 if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use) || isOnAccessControlSimpleRequestMethodWhitelist(method)) 74 74 return true; 75 75 … … 78 78 } 79 79 80 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, St ring& errorDescription) const80 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const 81 81 { 82 bool validWildcard = m_headers.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use; 82 83 for (const auto& header : requestHeaders) { 83 84 if (header.keyAsHTTPHeaderName && isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value)) 84 85 continue; 85 if (!m_headers.contains(header.key) ) {86 if (!m_headers.contains(header.key) && !validWildcard) { 86 87 errorDescription = "Request header field " + header.key + " is not allowed by Access-Control-Allow-Headers."; 87 88 return false; … … 98 99 if (storedCredentialsPolicy == StoredCredentialsPolicy::Use && m_storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) 99 100 return false; 100 if (!allowsCrossOriginMethod(method, ignoredExplanation))101 if (!allowsCrossOriginMethod(method, storedCredentialsPolicy, ignoredExplanation)) 101 102 return false; 102 if (!allowsCrossOriginHeaders(requestHeaders, ignoredExplanation))103 if (!allowsCrossOriginHeaders(requestHeaders, storedCredentialsPolicy, ignoredExplanation)) 103 104 return false; 104 105 return true; -
trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.h
r244115 r246238 47 47 48 48 WEBCORE_EXPORT bool parse(const ResourceResponse&); 49 WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, St ring& errorDescription) const;50 WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, St ring& errorDescription) const;49 WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const; 50 WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const; 51 51 bool allowsRequest(StoredCredentialsPolicy, const String& method, const HTTPHeaderMap& requestHeaders) const; 52 52
Note: See TracChangeset
for help on using the changeset viewer.