Auto merge of #25768 - pshaughn:corsstar, r=jdm

Handle access-control header wildcards  We were checking Access-Control-Expose-Headers for wildcards inconsistently and then discarding the result; this fixes the check and its use, passing the WPT test for having a wildcard there. ---  - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #24913  - [X] There are tests for these changes OR - [ ] These changes do not require tests because ___
2025-08-06 06:00:15 +01:00 · 2020-02-14 23:16:37 -05:00 · 2020-02-14 23:16:37 -05:00 · 795dab71ff
commit 795dab71ff
parent 4c5ec9da27 739f09e199
3 changed files with 13 additions and 29 deletions
--- a/components/net/fetch/methods.rs
+++ b/components/net/fetch/methods.rs
@ -340,15 +340,16 @@ pub fn main_fetch(
                .map(|v| v.iter().collect());
            match header_names {
                // Subsubstep 2.
-                Some(ref list) if request.credentials_mode != CredentialsMode::Include => {
-                    if list.len() == 1 && list[0] == "*" {
-                        response.cors_exposed_header_name_list = response
-                            .headers
-                            .iter()
-                            .map(|(name, _)| name.as_str().to_owned())
-                            .collect();
-                    }
-                },
+                Some(ref list)
+                    if request.credentials_mode != CredentialsMode::Include &&
+                        list.iter().any(|header| header == "*") =>
+                {
+                    response.cors_exposed_header_name_list = response
+                        .headers
+                        .iter()
+                        .map(|(name, _)| name.as_str().to_owned())
+                        .collect();
+                }
                // Subsubstep 3.
                Some(list) => {
                    response.cors_exposed_header_name_list =