Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-05 13:40:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

fetch: header tweaks to improve compliance with fetch spec (#33562)

Browse source 
* fetch: various header tweaks to improve compliance with fetch spec

Signed-off-by: Shane Handley <shanehandley@fastmail.com>

* fix: simplify the authorization header removal

Signed-off-by: Shane Handley <shanehandley@fastmail.com>

---------

Signed-off-by: Shane Handley <shanehandley@fastmail.com>
This commit is contained in:
shanehandley 2024-09-28 02:05:55 +10:00 committed by GitHub
parent f96a62f0ce
commit c7ef974968
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 21 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

25
components/net/http_loader.rs
View file

@ -25,7 +25,8 @@ use headers::{
IfModifiedSince, LastModified, Origin as HyperOrigin, Pragma, Referer, UserAgent,
};
use http::header::{
self, HeaderValue, ACCEPT, CONTENT_ENCODING, CONTENT_LANGUAGE, CONTENT_LOCATION, CONTENT_TYPE,
self, HeaderValue, ACCEPT, AUTHORIZATION, CONTENT_ENCODING, CONTENT_LANGUAGE, CONTENT_LOCATION,
CONTENT_TYPE,
};
use http::{HeaderMap, Method, Request as HyperRequest, StatusCode};
use hyper::header::{HeaderName, TRANSFER_ENCODING};
@ -1030,15 +1031,27 @@ pub async fn http_redirect_fetch(
}
}
// Step 12
// Step 13: If requests current URLs origin is not same origin with locationURLs origin, then
// for each headerName of CORS non-wildcard request-header name, delete headerName from
// requests header list.
if location_url.origin() != request.current_url().origin() {
// This list currently only contains the AUTHORIZATION header
// https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
request.headers.remove(AUTHORIZATION);
}
// Step 14: If requests body is non-null, then set requests body to the body of the result of
// safely extracting requests bodys source.
if let Some(body) = request.body.as_mut() {
body.extract_source();
}
// Step 13
// Steps 15-17 relate to timing, which is not implemented 1:1 with the spec.
// Step 18: Append locationURL to requests URL list.
request.url_list.push(location_url);
// Step 14
// Step 19: Invoke set requests referrer policy on redirect on request and internalResponse.
if let Some(referrer_policy) = response
.actual_response()
.headers
@ -1047,9 +1060,11 @@ pub async fn http_redirect_fetch(
request.referrer_policy = Some(referrer_policy.into());
}
// Step 15
// Step 20: Let recursive be true.
// Step 21: If requests redirect mode is "manual", then...
let recursive_flag = request.redirect_mode != RedirectMode::Manual;
// Step 22: Return the result of running main fetch given fetchParams and recursive.
let fetch_response = main_fetch(
request,
cache,

2
components/shared/net/response.rs
View file

@ -267,7 +267,7 @@ impl Response {
ResponseType::Cors => {
let headers = old_headers.iter().filter(|(name, _)| {
match &*name.as_str().to_ascii_lowercase() {
"cache-control" | "content-language" | "content-type" |
"cache-control" | "content-language" | "content-length" | "content-type" |
"expires" | "last-modified" | "pragma" => true,
"set-cookie" | "set-cookie2" => false,
header => {

4
tests/wpt/meta-legacy-layout/cors/response-headers.htm.ini vendored
View file

@ -1,4 +0,0 @@
[response-headers.htm]
[getResponseHeader: Content-Length: readable by default]
expected: FAIL

9
tests/wpt/meta-legacy-layout/fetch/api/cors/cors-filtering.sub.any.js.ini vendored
View file

@ -1,9 +0,0 @@
[cors-filtering.sub.any.html]
[CORS filter on Content-Length header]
expected: FAIL
[cors-filtering.sub.any.worker.html]
[CORS filter on Content-Length header]
expected: FAIL

6
tests/wpt/meta-legacy-layout/fetch/api/credentials/authentication-redirection.any.js.ini vendored
View file

@ -1,12 +1,6 @@
[authentication-redirection.any.html]
[getAuthorizationHeaderValue - cross origin redirection]
expected: FAIL
[authentication-redirection.any.worker.html]
[getAuthorizationHeaderValue - cross origin redirection]
expected: FAIL
[authentication-redirection.any.sharedworker.html]
expected: ERROR

4
tests/wpt/meta-legacy-layout/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini vendored
View file

@ -1,4 +0,0 @@
[access-control-basic-cors-safelisted-response-headers.htm]
[Response with CORS-safelisted headers]
expected: FAIL

5
tests/wpt/meta-legacy-layout/xhr/xhr-authorization-redirect.any.js.ini vendored
View file

@ -2,13 +2,8 @@
expected: ERROR
[xhr-authorization-redirect.any.html]
[getAuthorizationHeaderValue - cross origin redirection]
expected: FAIL
[xhr-authorization-redirect.any.serviceworker.html]
expected: ERROR
[xhr-authorization-redirect.any.worker.html]
[getAuthorizationHeaderValue - cross origin redirection]
expected: FAIL

4
tests/wpt/meta/cors/response-headers.htm.ini vendored
View file

@ -1,4 +0,0 @@
[response-headers.htm]
[getResponseHeader: Content-Length: readable by default]
expected: FAIL

8
tests/wpt/meta/fetch/api/cors/cors-filtering.sub.any.js.ini vendored
View file

@ -1,8 +0,0 @@
[cors-filtering.sub.any.html]
[CORS filter on Content-Length header]
expected: FAIL
[cors-filtering.sub.any.worker.html]
[CORS filter on Content-Length header]
expected: FAIL

5
tests/wpt/meta/fetch/api/credentials/authentication-redirection.any.js.ini vendored
View file

@ -2,13 +2,8 @@
expected: ERROR
[authentication-redirection.any.html]
[getAuthorizationHeaderValue - cross origin redirection]
expected: FAIL
[authentication-redirection.any.serviceworker.html]
expected: ERROR
[authentication-redirection.any.worker.html]
[getAuthorizationHeaderValue - cross origin redirection]
expected: FAIL

4
tests/wpt/meta/xhr/access-control-basic-cors-safelisted-response-headers.htm.ini vendored
View file

@ -1,4 +0,0 @@
[access-control-basic-cors-safelisted-response-headers.htm]
[Response with CORS-safelisted headers]
expected: FAIL

6
tests/wpt/meta/xhr/xhr-authorization-redirect.any.js.ini vendored
View file

@ -2,14 +2,8 @@
expected: ERROR
[xhr-authorization-redirect.any.worker.html]
[getAuthorizationHeaderValue - cross origin redirection]
expected: FAIL
[xhr-authorization-redirect.any.html]
[getAuthorizationHeaderValue - cross origin redirection]
expected: FAIL
[xhr-authorization-redirect.any.serviceworker.html]
expected: ERROR