Handle access-control header wildcards

2025-07-22 23:03:42 +01:00 · 2020-02-14 13:13:22 -05:00 · 2020-02-14 13:13:22 -05:00 · 739f09e199
commit 739f09e199
parent 4f36472b6f
3 changed files with 13 additions and 29 deletions
--- a/components/net/fetch/methods.rs
+++ b/components/net/fetch/methods.rs
@ -340,15 +340,16 @@ pub fn main_fetch(
                .map(|v| v.iter().collect());
            match header_names {
                // Subsubstep 2.
-                Some(ref list) if request.credentials_mode != CredentialsMode::Include => {
-                    if list.len() == 1 && list[0] == "*" {
-                        response.cors_exposed_header_name_list = response
-                            .headers
-                            .iter()
-                            .map(|(name, _)| name.as_str().to_owned())
-                            .collect();
-                    }
-                },
+                Some(ref list)
+                    if request.credentials_mode != CredentialsMode::Include &&
+                        list.iter().any(|header| header == "*") =>
+                {
+                    response.cors_exposed_header_name_list = response
+                        .headers
+                        .iter()
+                        .map(|(name, _)| name.as_str().to_owned())
+                        .collect();
+                }
                // Subsubstep 3.
                Some(list) => {
                    response.cors_exposed_header_name_list =
--- a/components/net_traits/response.rs
+++ b/components/net_traits/response.rs
@ -6,7 +6,7 @@
 //! resulting from a [fetch operation](https://fetch.spec.whatwg.org/#concept-fetch)
 use crate::{FetchMetadata, FilteredMetadata, Metadata, NetworkError, ReferrerPolicy};
 use crate::{ResourceFetchTiming, ResourceTimingType};
-use headers::{AccessControlExposeHeaders, ContentType, HeaderMapExt};
+use headers::{ContentType, HeaderMapExt};
 use http::{HeaderMap, StatusCode};
 use hyper_serde::Serde;
 use servo_arc::Arc;
@ -241,6 +241,7 @@ impl Response {
        }

        let old_headers = old_response.headers.clone();
+        let exposed_headers = old_response.cors_exposed_header_name_list.clone();
        let mut response = old_response.clone();
        response.internal_response = Some(Box::new(old_response));
        response.response_type = filter_type;
@ -266,10 +267,7 @@ impl Response {
                        "expires" | "last-modified" | "pragma" => true,
                        "set-cookie" | "set-cookie2" => false,
                        header => {
-                            let access = old_headers.typed_get::<AccessControlExposeHeaders>();
-                            let result = access
-                                .and_then(|v| v.iter().find(|h| *header == h.as_str().to_ascii_lowercase()));
-                            result.is_some()
+                            exposed_headers.iter().any(|h| *header == h.as_str().to_ascii_lowercase())
                        }
                    }
                }).map(|(n, v)| (n.clone(), v.clone())).collect();
--- a/tests/wpt/metadata/fetch/api/cors/cors-expose-star.sub.any.js.ini
+++ b/tests/wpt/metadata/fetch/api/cors/cors-expose-star.sub.any.js.ini
@ -1,15 +0,0 @@
-[cors-expose-star.sub.any.html]
-  [Basic Access-Control-Expose-Headers: * support]
-    expected: FAIL
-
-  [* can be one of several values]
-    expected: FAIL
-
-
-[cors-expose-star.sub.any.worker.html]
-  [Basic Access-Control-Expose-Headers: * support]
-    expected: FAIL
-
-  [* can be one of several values]
-    expected: FAIL
-