[#34767] - Range header is missing from CORS header safelist (#35138)

* implemented main feauter, created tests, and modified ini Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com> * corrected tidyness Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com> * Modified general.any.js.ini file Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com> * Removed PASSed tests from ini files Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com> --------- Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>
author: Domenico Rizzo <domenico.rizzo@gmail.com> 2025-01-24 18:31:27 +0100
committer: GitHub <noreply@github.com> 2025-01-24 17:31:27 +0000
commit: fc1a093976a77f56533be7e4167dde364a6c7c6b (patch)
tree: 53db9b957e46b952746c7c23d2cbc490ab9a677c /components/shared/net/request.rs
parent: ceebf99280d863fc0bdb027f77a03b4cc6affffa (diff)
download: servo-fc1a093976a77f56533be7e4167dde364a6c7c6b.tar.gz
servo-fc1a093976a77f56533be7e4167dde364a6c7c6b.zip
1 files changed, 33 insertions, 0 deletions
diff --git a/components/shared/net/request.rs b/components/shared/net/request.rs
index fff5dbc0836..a6c31c57104 100644
--- a/components/shared/net/request.rs
+++ b/components/shared/net/request.rs
@@ -728,10 +728,43 @@ pub fn is_cors_safelisted_request_header<N: AsRef<str>, V: AsRef<[u8]>>(
         "accept" => is_cors_safelisted_request_accept(value),
         "accept-language" | "content-language" => is_cors_safelisted_language(value),
         "content-type" => is_cors_safelisted_request_content_type(value),
+        "range" => is_cors_safelisted_request_range(value),
         _ => false,
     }
 }
 
+pub fn is_cors_safelisted_request_range(value: &[u8]) -> bool {
+    if let Ok(value_str) = std::str::from_utf8(value) {
+        return validate_range_header(value_str);
+    }
+    false
+}
+
+fn validate_range_header(value: &str) -> bool {
+    let trimmed = value.trim();
+    if !trimmed.starts_with("bytes=") {
+        return false;
+    }
+
+    if let Some(range) = trimmed.strip_prefix("bytes=") {
+        let mut parts = range.split('-');
+        let start = parts.next();
+        let end = parts.next();
+
+        if let Some(start) = start {
+            if let Ok(start_num) = start.parse::<u64>() {
+                return match end {
+                    Some(e) if !e.is_empty() => e
+                        .parse::<u64>()
+                        .map_or(false, |end_num| start_num <= end_num),
+                    _ => true,
+                };
+            }
+        }
+    }
+    false
+}
+
 /// <https://fetch.spec.whatwg.org/#cors-safelisted-method>
 pub fn is_cors_safelisted_method(m: &Method) -> bool {
     matches!(*m, Method::GET | Method::HEAD | Method::POST)
author	Domenico Rizzo <domenico.rizzo@gmail.com>	2025-01-24 18:31:27 +0100
committer	GitHub <noreply@github.com>	2025-01-24 17:31:27 +0000
commit	fc1a093976a77f56533be7e4167dde364a6c7c6b (patch)
tree	53db9b957e46b952746c7c23d2cbc490ab9a677c /components/shared/net/request.rs
parent	ceebf99280d863fc0bdb027f77a03b4cc6affffa (diff)
download	servo-fc1a093976a77f56533be7e4167dde364a6c7c6b.tar.gz servo-fc1a093976a77f56533be7e4167dde364a6c7c6b.zip