diff options
| author | bors-servo <lbergstrom+bors@mozilla.com> | 2019-12-16 20:51:09 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-12-16 20:51:09 -0500 |
| commit | b274d59875522ad303e9b54c17414dd57dee325b (patch) | |
| tree | b1bbc9a344058ae4624f92d1040b67419a2b7eb8 /components/script/dom/headers.rs | |
| parent | d2051946181f62de6ec8ade4a0a73fc971c74923 (diff) | |
| parent | 67827debd85c7076c05277e976732593f9fa043e (diff) | |
| download | servo-b274d59875522ad303e9b54c17414dd57dee325b.tar.gz servo-b274d59875522ad303e9b54c17414dd57dee325b.zip | |
Auto merge of #25236 - pshaughn:safelistct, r=jdm
De-deplicate is_cors_safelisted_request_header helper functions
<!-- Please describe your changes on the following line: -->
Separate is_cors_safelisted_request_header implementations in script::dom::request and net::fetch::methods have been merged to a single implementation in net_traits::request, with additional logic for spec requirements that weren't previously there. This doesn't pass all the failing tests, but it doesn't fail any passing ones either and it reduces confusion about what's supposed to happen where.
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix #25235 and some but not all subcases in #25175
<!-- Either: -->
- [X] There are tests for these changes, in that the WPT CORS tests that did already pass still do
<!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.-->
<!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
Diffstat (limited to 'components/script/dom/headers.rs')
| -rw-r--r-- | components/script/dom/headers.rs | 44 |
1 files changed, 12 insertions, 32 deletions
diff --git a/components/script/dom/headers.rs b/components/script/dom/headers.rs index 017cde9268a..61c6fc1f98e 100644 --- a/components/script/dom/headers.rs +++ b/components/script/dom/headers.rs @@ -14,9 +14,8 @@ use crate::dom::bindings::str::{is_token, ByteString}; use crate::dom::globalscope::GlobalScope; use dom_struct::dom_struct; use http::header::{self, HeaderMap as HyperHeaders, HeaderName, HeaderValue}; -use mime::{self, Mime}; +use net_traits::request::is_cors_safelisted_request_header; use std::cell::Cell; -use std::result::Result; use std::str::{self, FromStr}; #[dom_struct] @@ -28,7 +27,7 @@ pub struct Headers { } // https://fetch.spec.whatwg.org/#concept-headers-guard -#[derive(Clone, Copy, JSTraceable, MallocSizeOf, PartialEq)] +#[derive(Clone, Copy, Debug, JSTraceable, MallocSizeOf, PartialEq)] pub enum Guard { Immutable, Request, @@ -88,6 +87,9 @@ impl HeadersMethods for Headers { return Ok(()); } // Step 7 + // FIXME: this is NOT what WHATWG says to do when appending + // another copy of an existing header. HyperHeaders + // might not expose the information we need to do it right. let mut combined_value: Vec<u8> = vec![]; if let Some(v) = self .header_list @@ -301,35 +303,6 @@ impl Iterable for Headers { } } -fn is_cors_safelisted_request_content_type(value: &[u8]) -> bool { - let value_string = if let Ok(s) = str::from_utf8(value) { - s - } else { - return false; - }; - let value_mime_result: Result<Mime, _> = value_string.parse(); - match value_mime_result { - Err(_) => false, - Ok(value_mime) => match (value_mime.type_(), value_mime.subtype()) { - (mime::APPLICATION, mime::WWW_FORM_URLENCODED) | - (mime::MULTIPART, mime::FORM_DATA) | - (mime::TEXT, mime::PLAIN) => true, - _ => false, - }, - } -} - -// TODO: "DPR", "Downlink", "Save-Data", "Viewport-Width", "Width": -// ... once parsed, the value should not be failure. -// https://fetch.spec.whatwg.org/#cors-safelisted-request-header -fn is_cors_safelisted_request_header(name: &str, value: &[u8]) -> bool { - match name { - "accept" | "accept-language" | "content-language" => true, - "content-type" => is_cors_safelisted_request_content_type(value), - _ => false, - } -} - // https://fetch.spec.whatwg.org/#forbidden-response-header-name fn is_forbidden_response_header(name: &str) -> bool { match name { @@ -394,11 +367,18 @@ pub fn is_forbidden_header_name(name: &str) -> bool { // [2] https://tools.ietf.org/html/rfc7230#section-3.2 // [3] https://tools.ietf.org/html/rfc7230#section-3.2.6 // [4] https://www.rfc-editor.org/errata_search.php?rfc=7230 +// +// As of December 2019 WHATWG, isn't even using grammar productions for value; +// https://fetch.spec.whatg.org/#concept-header-value just says not to have +// newlines, nulls, or leading/trailing whitespace. fn validate_name_and_value(name: ByteString, value: ByteString) -> Fallible<(String, Vec<u8>)> { let valid_name = validate_name(name)?; + + // this is probably out of date if !is_field_content(&value) { return Err(Error::Type("Value is not valid".to_string())); } + Ok((valid_name, value.into())) } |