From c7ef974968c32d58e6fdd3213965c0f88ee6e4a5 Mon Sep 17 00:00:00 2001 From: shanehandley <1322294+shanehandley@users.noreply.github.com> Date: Sat, 28 Sep 2024 02:05:55 +1000 Subject: [PATCH] fetch: header tweaks to improve compliance with fetch spec (#33562) * fetch: various header tweaks to improve compliance with fetch spec Signed-off-by: Shane Handley * fix: simplify the authorization header removal Signed-off-by: Shane Handley --------- Signed-off-by: Shane Handley --- components/net/http_loader.rs | 25 +++++++++++++++---- components/shared/net/response.rs | 2 +- .../cors/response-headers.htm.ini | 4 --- .../api/cors/cors-filtering.sub.any.js.ini | 9 ------- .../authentication-redirection.any.js.ini | 6 ----- ...c-cors-safelisted-response-headers.htm.ini | 4 --- .../xhr/xhr-authorization-redirect.any.js.ini | 5 ---- tests/wpt/meta/cors/response-headers.htm.ini | 4 --- .../api/cors/cors-filtering.sub.any.js.ini | 8 ------ .../authentication-redirection.any.js.ini | 5 ---- ...c-cors-safelisted-response-headers.htm.ini | 4 --- .../xhr/xhr-authorization-redirect.any.js.ini | 6 ----- 12 files changed, 21 insertions(+), 61 deletions(-) delete mode 100644 tests/wpt/meta-legacy-layout/cors/response-headers.htm.ini delete mode 100644 tests/wpt/meta-legacy-layout/fetch/api/cors/cors-filtering.sub.any.js.ini delete mode 100644 tests/wpt/meta-legacy-layout/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini delete mode 100644 tests/wpt/meta/cors/response-headers.htm.ini delete mode 100644 tests/wpt/meta/fetch/api/cors/cors-filtering.sub.any.js.ini delete mode 100644 tests/wpt/meta/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini diff --git a/components/net/http_loader.rs b/components/net/http_loader.rs index f7a6f948855..c506d7535bb 100644 --- a/components/net/http_loader.rs +++ b/components/net/http_loader.rs @@ -25,7 +25,8 @@ use headers::{ IfModifiedSince, LastModified, Origin as HyperOrigin, Pragma, Referer, UserAgent, }; use http::header::{ - self, HeaderValue, ACCEPT, CONTENT_ENCODING, CONTENT_LANGUAGE, CONTENT_LOCATION, CONTENT_TYPE, + self, HeaderValue, ACCEPT, AUTHORIZATION, CONTENT_ENCODING, CONTENT_LANGUAGE, CONTENT_LOCATION, + CONTENT_TYPE, }; use http::{HeaderMap, Method, Request as HyperRequest, StatusCode}; use hyper::header::{HeaderName, TRANSFER_ENCODING}; @@ -1030,15 +1031,27 @@ pub async fn http_redirect_fetch( } } - // Step 12 + // Step 13: If request’s current URL’s origin is not same origin with locationURL’s origin, then + // for each headerName of CORS non-wildcard request-header name, delete headerName from + // request’s header list. + if location_url.origin() != request.current_url().origin() { + // This list currently only contains the AUTHORIZATION header + // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name + request.headers.remove(AUTHORIZATION); + } + + // Step 14: If request’s body is non-null, then set request’s body to the body of the result of + // safely extracting request’s body’s source. if let Some(body) = request.body.as_mut() { body.extract_source(); } - // Step 13 + // Steps 15-17 relate to timing, which is not implemented 1:1 with the spec. + + // Step 18: Append locationURL to request’s URL list. request.url_list.push(location_url); - // Step 14 + // Step 19: Invoke set request’s referrer policy on redirect on request and internalResponse. if let Some(referrer_policy) = response .actual_response() .headers @@ -1047,9 +1060,11 @@ pub async fn http_redirect_fetch( request.referrer_policy = Some(referrer_policy.into()); } - // Step 15 + // Step 20: Let recursive be true. + // Step 21: If request’s redirect mode is "manual", then... let recursive_flag = request.redirect_mode != RedirectMode::Manual; + // Step 22: Return the result of running main fetch given fetchParams and recursive. let fetch_response = main_fetch( request, cache, diff --git a/components/shared/net/response.rs b/components/shared/net/response.rs index 338cc002ac7..c4b009db72a 100644 --- a/components/shared/net/response.rs +++ b/components/shared/net/response.rs @@ -267,7 +267,7 @@ impl Response { ResponseType::Cors => { let headers = old_headers.iter().filter(|(name, _)| { match &*name.as_str().to_ascii_lowercase() { - "cache-control" | "content-language" | "content-type" | + "cache-control" | "content-language" | "content-length" | "content-type" | "expires" | "last-modified" | "pragma" => true, "set-cookie" | "set-cookie2" => false, header => { diff --git a/tests/wpt/meta-legacy-layout/cors/response-headers.htm.ini b/tests/wpt/meta-legacy-layout/cors/response-headers.htm.ini deleted file mode 100644 index 942552376c5..00000000000 --- a/tests/wpt/meta-legacy-layout/cors/response-headers.htm.ini +++ /dev/null @@ -1,4 +0,0 @@ -[response-headers.htm] - [getResponseHeader: Content-Length: readable by default] - expected: FAIL - diff --git a/tests/wpt/meta-legacy-layout/fetch/api/cors/cors-filtering.sub.any.js.ini b/tests/wpt/meta-legacy-layout/fetch/api/cors/cors-filtering.sub.any.js.ini deleted file mode 100644 index 3e32abdf561..00000000000 --- a/tests/wpt/meta-legacy-layout/fetch/api/cors/cors-filtering.sub.any.js.ini +++ /dev/null @@ -1,9 +0,0 @@ -[cors-filtering.sub.any.html] - [CORS filter on Content-Length header] - expected: FAIL - - -[cors-filtering.sub.any.worker.html] - [CORS filter on Content-Length header] - expected: FAIL - diff --git a/tests/wpt/meta-legacy-layout/fetch/api/credentials/authentication-redirection.any.js.ini b/tests/wpt/meta-legacy-layout/fetch/api/credentials/authentication-redirection.any.js.ini index 865b6fca3c2..63538bbb0c7 100644 --- a/tests/wpt/meta-legacy-layout/fetch/api/credentials/authentication-redirection.any.js.ini +++ b/tests/wpt/meta-legacy-layout/fetch/api/credentials/authentication-redirection.any.js.ini @@ -1,12 +1,6 @@ [authentication-redirection.any.html] - [getAuthorizationHeaderValue - cross origin redirection] - expected: FAIL - [authentication-redirection.any.worker.html] - [getAuthorizationHeaderValue - cross origin redirection] - expected: FAIL - [authentication-redirection.any.sharedworker.html] expected: ERROR diff --git a/tests/wpt/meta-legacy-layout/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini b/tests/wpt/meta-legacy-layout/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini deleted file mode 100644 index 97fee88f01f..00000000000 --- a/tests/wpt/meta-legacy-layout/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini +++ /dev/null @@ -1,4 +0,0 @@ -[access-control-basic-cors-safelisted-response-headers.htm] - [Response with CORS-safelisted headers] - expected: FAIL - diff --git a/tests/wpt/meta-legacy-layout/xhr/xhr-authorization-redirect.any.js.ini b/tests/wpt/meta-legacy-layout/xhr/xhr-authorization-redirect.any.js.ini index 4cc90cea5c9..94bed053cea 100644 --- a/tests/wpt/meta-legacy-layout/xhr/xhr-authorization-redirect.any.js.ini +++ b/tests/wpt/meta-legacy-layout/xhr/xhr-authorization-redirect.any.js.ini @@ -2,13 +2,8 @@ expected: ERROR [xhr-authorization-redirect.any.html] - [getAuthorizationHeaderValue - cross origin redirection] - expected: FAIL - [xhr-authorization-redirect.any.serviceworker.html] expected: ERROR [xhr-authorization-redirect.any.worker.html] - [getAuthorizationHeaderValue - cross origin redirection] - expected: FAIL diff --git a/tests/wpt/meta/cors/response-headers.htm.ini b/tests/wpt/meta/cors/response-headers.htm.ini deleted file mode 100644 index 942552376c5..00000000000 --- a/tests/wpt/meta/cors/response-headers.htm.ini +++ /dev/null @@ -1,4 +0,0 @@ -[response-headers.htm] - [getResponseHeader: Content-Length: readable by default] - expected: FAIL - diff --git a/tests/wpt/meta/fetch/api/cors/cors-filtering.sub.any.js.ini b/tests/wpt/meta/fetch/api/cors/cors-filtering.sub.any.js.ini deleted file mode 100644 index 31e53560869..00000000000 --- a/tests/wpt/meta/fetch/api/cors/cors-filtering.sub.any.js.ini +++ /dev/null @@ -1,8 +0,0 @@ -[cors-filtering.sub.any.html] - [CORS filter on Content-Length header] - expected: FAIL - - -[cors-filtering.sub.any.worker.html] - [CORS filter on Content-Length header] - expected: FAIL diff --git a/tests/wpt/meta/fetch/api/credentials/authentication-redirection.any.js.ini b/tests/wpt/meta/fetch/api/credentials/authentication-redirection.any.js.ini index 78c2307ac29..356946aa7f2 100644 --- a/tests/wpt/meta/fetch/api/credentials/authentication-redirection.any.js.ini +++ b/tests/wpt/meta/fetch/api/credentials/authentication-redirection.any.js.ini @@ -2,13 +2,8 @@ expected: ERROR [authentication-redirection.any.html] - [getAuthorizationHeaderValue - cross origin redirection] - expected: FAIL - [authentication-redirection.any.serviceworker.html] expected: ERROR [authentication-redirection.any.worker.html] - [getAuthorizationHeaderValue - cross origin redirection] - expected: FAIL diff --git a/tests/wpt/meta/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini b/tests/wpt/meta/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini deleted file mode 100644 index 97fee88f01f..00000000000 --- a/tests/wpt/meta/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini +++ /dev/null @@ -1,4 +0,0 @@ -[access-control-basic-cors-safelisted-response-headers.htm] - [Response with CORS-safelisted headers] - expected: FAIL - diff --git a/tests/wpt/meta/xhr/xhr-authorization-redirect.any.js.ini b/tests/wpt/meta/xhr/xhr-authorization-redirect.any.js.ini index 2554e2910bc..5a10a5d2c81 100644 --- a/tests/wpt/meta/xhr/xhr-authorization-redirect.any.js.ini +++ b/tests/wpt/meta/xhr/xhr-authorization-redirect.any.js.ini @@ -2,14 +2,8 @@ expected: ERROR [xhr-authorization-redirect.any.worker.html] - [getAuthorizationHeaderValue - cross origin redirection] - expected: FAIL - [xhr-authorization-redirect.any.html] - [getAuthorizationHeaderValue - cross origin redirection] - expected: FAIL - [xhr-authorization-redirect.any.serviceworker.html] expected: ERROR