diff options
| author | Domenico Rizzo <domenico.rizzo@gmail.com> | 2025-01-24 18:31:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-24 17:31:27 +0000 |
| commit | fc1a093976a77f56533be7e4167dde364a6c7c6b (patch) | |
| tree | 53db9b957e46b952746c7c23d2cbc490ab9a677c | |
| parent | ceebf99280d863fc0bdb027f77a03b4cc6affffa (diff) | |
| download | servo-fc1a093976a77f56533be7e4167dde364a6c7c6b.tar.gz servo-fc1a093976a77f56533be7e4167dde364a6c7c6b.zip | |
[#34767] - Range header is missing from CORS header safelist (#35138)
* implemented main feauter, created tests, and modified ini
Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>
* corrected tidyness
Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>
* Modified general.any.js.ini file
Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>
* Removed PASSed tests from ini files
Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>
---------
Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>
| -rw-r--r-- | components/shared/net/request.rs | 33 | ||||
| -rw-r--r-- | components/shared/net/tests/cors_safelisted_request_header.rs | 13 | ||||
| -rw-r--r-- | tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini | 13 | ||||
| -rw-r--r-- | tests/wpt/meta/fetch/range/general.any.js.ini | 9 |
4 files changed, 46 insertions, 22 deletions
diff --git a/components/shared/net/request.rs b/components/shared/net/request.rs index fff5dbc0836..a6c31c57104 100644 --- a/components/shared/net/request.rs +++ b/components/shared/net/request.rs @@ -728,10 +728,43 @@ pub fn is_cors_safelisted_request_header<N: AsRef<str>, V: AsRef<[u8]>>( "accept" => is_cors_safelisted_request_accept(value), "accept-language" | "content-language" => is_cors_safelisted_language(value), "content-type" => is_cors_safelisted_request_content_type(value), + "range" => is_cors_safelisted_request_range(value), _ => false, } } +pub fn is_cors_safelisted_request_range(value: &[u8]) -> bool { + if let Ok(value_str) = std::str::from_utf8(value) { + return validate_range_header(value_str); + } + false +} + +fn validate_range_header(value: &str) -> bool { + let trimmed = value.trim(); + if !trimmed.starts_with("bytes=") { + return false; + } + + if let Some(range) = trimmed.strip_prefix("bytes=") { + let mut parts = range.split('-'); + let start = parts.next(); + let end = parts.next(); + + if let Some(start) = start { + if let Ok(start_num) = start.parse::<u64>() { + return match end { + Some(e) if !e.is_empty() => e + .parse::<u64>() + .map_or(false, |end_num| start_num <= end_num), + _ => true, + }; + } + } + } + false +} + /// <https://fetch.spec.whatwg.org/#cors-safelisted-method> pub fn is_cors_safelisted_method(m: &Method) -> bool { matches!(*m, Method::GET | Method::HEAD | Method::POST) diff --git a/components/shared/net/tests/cors_safelisted_request_header.rs b/components/shared/net/tests/cors_safelisted_request_header.rs new file mode 100644 index 00000000000..21b91ad4ea2 --- /dev/null +++ b/components/shared/net/tests/cors_safelisted_request_header.rs @@ -0,0 +1,13 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#[test] +fn test_is_cors_safelisted_request_range() { + use net_traits::request::is_cors_safelisted_request_range; + + assert!(is_cors_safelisted_request_range(b"bytes=100-200")); + assert!(is_cors_safelisted_request_range(b"bytes=200-")); + assert!(!is_cors_safelisted_request_range(b"bytes=abc-def")); + assert!(!is_cors_safelisted_request_range(b"")); +} diff --git a/tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini b/tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini index e56f1bc1f35..144bd43677a 100644 --- a/tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini +++ b/tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini @@ -14,13 +14,6 @@ [Preflight for {"content-type":"application/x-www-form-urlencoded;"}] expected: FAIL - [No preflight for {"range":"bytes=100-200"}] - expected: FAIL - - [No preflight for {"range":"bytes=200-"}] - expected: FAIL - - [cors-safelisted-request-header.any.worker.html] [No preflight for {"content-type":"text/plain;garbage"}] expected: FAIL @@ -36,9 +29,3 @@ [Preflight for {"content-type":"application/x-www-form-urlencoded;"}] expected: FAIL - - [No preflight for {"range":"bytes=100-200"}] - expected: FAIL - - [No preflight for {"range":"bytes=200-"}] - expected: FAIL diff --git a/tests/wpt/meta/fetch/range/general.any.js.ini b/tests/wpt/meta/fetch/range/general.any.js.ini index b55af5e47e1..9fa34bfeeeb 100644 --- a/tests/wpt/meta/fetch/range/general.any.js.ini +++ b/tests/wpt/meta/fetch/range/general.any.js.ini @@ -1,14 +1,5 @@ [general.any.sharedworker.html] expected: ERROR -[general.any.html] - [Cross Origin Fetch with safe range header] - expected: FAIL - - [general.any.serviceworker.html] expected: ERROR - -[general.any.worker.html] - [Cross Origin Fetch with safe range header] - expected: FAIL |