Manually concatenate ACRH headers to not include a space (#36455)

headers library will join values with `, ` (comma space) but
Access-Control-Request-Headers specifies that it does not use the normal
combining algorithm and values should be joined with `,` (comma).

Testing: WPT tests exist
Fixes: temporary fix for #36451 until hyperium/headers#207 is fixed

---------

Signed-off-by: Sebastian C <sebsebmc@gmail.com>

Cargo.lock

@@ -4837,6 +4837,7 @@ dependencies = [
  "hyper_serde",
  "imsz",
  "ipc-channel",
+ "itertools 0.13.0",
  "log",
  "malloc_size_of_derive",
  "mime",

components/net/Cargo.toml

@@ -42,6 +42,7 @@ hyper-util = { workspace = true }
 hyper_serde = { workspace = true }
 imsz = { workspace = true }
 ipc-channel = { workspace = true }
+itertools = { workspace = true }
 log = { workspace = true }
 malloc_size_of = { workspace = true }
 malloc_size_of_derive = { workspace = true }

components/net/http_loader.rs

@@ -20,13 +20,13 @@ use futures::{TryFutureExt, TryStreamExt, future};
 use headers::authorization::Basic;
 use headers::{
     AccessControlAllowCredentials, AccessControlAllowHeaders, AccessControlAllowMethods,
-    AccessControlAllowOrigin, AccessControlMaxAge, AccessControlRequestHeaders,
+    AccessControlAllowOrigin, AccessControlMaxAge, AccessControlRequestMethod, Authorization,
-    AccessControlRequestMethod, Authorization, CacheControl, ContentLength, HeaderMapExt,
+    CacheControl, ContentLength, HeaderMapExt, IfModifiedSince, LastModified, Pragma, Referer,
-    IfModifiedSince, LastModified, Pragma, Referer, UserAgent,
+    UserAgent,
 };
 use http::header::{
-    self, ACCEPT, AUTHORIZATION, CONTENT_ENCODING, CONTENT_LANGUAGE, CONTENT_LOCATION,
+    self, ACCEPT, ACCESS_CONTROL_REQUEST_HEADERS, AUTHORIZATION, CONTENT_ENCODING,
-    CONTENT_TYPE, HeaderValue, RANGE,
+    CONTENT_LANGUAGE, CONTENT_LOCATION, CONTENT_TYPE, HeaderValue, RANGE,
 };
 use http::{HeaderMap, Method, Request as HyperRequest, StatusCode};
 use http_body_util::combinators::BoxBody;
@@ -2139,11 +2139,15 @@ async fn cors_preflight_fetch(
     // Step 4
     let headers = get_cors_unsafe_header_names(&request.headers);
 
-    // Step 5
+    // Step 5 If headers is not empty, then:
     if !headers.is_empty() {
-        preflight
+        // 5.1 Let value be the items in headers separated from each other by `,`
-            .headers
+        // TODO(36451): replace this with typed_insert when headers fixes headers#207
-            .typed_insert(AccessControlRequestHeaders::from_iter(headers));
+        preflight.headers.insert(
+            ACCESS_CONTROL_REQUEST_HEADERS,
+            HeaderValue::from_bytes(itertools::join(headers.iter(), ",").as_bytes())
+                .unwrap_or(HeaderValue::from_static("")),
+        );
     }
 
     // Step 6

tests/wpt/meta/fetch/api/cors/cors-preflight.any.js.ini

@@ -1,14 +0,0 @@
-[cors-preflight.any.html]
-  [CORS [GET\] [several headers\], server allows]
-    expected: FAIL
-
-  [CORS [PUT\] [several headers\], server allows]
-    expected: FAIL
-
-
-[cors-preflight.any.worker.html]
-  [CORS [GET\] [several headers\], server allows]
-    expected: FAIL
-
-  [CORS [PUT\] [several headers\], server allows]
-    expected: FAIL

tests/wpt/meta/xhr/access-control-preflight-request-header-sorted.htm.ini

@@ -1,3 +0,0 @@
-[access-control-preflight-request-header-sorted.htm]
-  [Tests that Access-Control-Request-Headers are sorted.]
-    expected: FAIL