diff --git a/components/shared/net/request.rs b/components/shared/net/request.rs index fff5dbc0836..a6c31c57104 100644 --- a/components/shared/net/request.rs +++ b/components/shared/net/request.rs @@ -728,10 +728,43 @@ pub fn is_cors_safelisted_request_header, V: AsRef<[u8]>>( "accept" => is_cors_safelisted_request_accept(value), "accept-language" | "content-language" => is_cors_safelisted_language(value), "content-type" => is_cors_safelisted_request_content_type(value), + "range" => is_cors_safelisted_request_range(value), _ => false, } } +pub fn is_cors_safelisted_request_range(value: &[u8]) -> bool { + if let Ok(value_str) = std::str::from_utf8(value) { + return validate_range_header(value_str); + } + false +} + +fn validate_range_header(value: &str) -> bool { + let trimmed = value.trim(); + if !trimmed.starts_with("bytes=") { + return false; + } + + if let Some(range) = trimmed.strip_prefix("bytes=") { + let mut parts = range.split('-'); + let start = parts.next(); + let end = parts.next(); + + if let Some(start) = start { + if let Ok(start_num) = start.parse::() { + return match end { + Some(e) if !e.is_empty() => e + .parse::() + .map_or(false, |end_num| start_num <= end_num), + _ => true, + }; + } + } + } + false +} + /// pub fn is_cors_safelisted_method(m: &Method) -> bool { matches!(*m, Method::GET | Method::HEAD | Method::POST) diff --git a/components/shared/net/tests/cors_safelisted_request_header.rs b/components/shared/net/tests/cors_safelisted_request_header.rs new file mode 100644 index 00000000000..21b91ad4ea2 --- /dev/null +++ b/components/shared/net/tests/cors_safelisted_request_header.rs @@ -0,0 +1,13 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#[test] +fn test_is_cors_safelisted_request_range() { + use net_traits::request::is_cors_safelisted_request_range; + + assert!(is_cors_safelisted_request_range(b"bytes=100-200")); + assert!(is_cors_safelisted_request_range(b"bytes=200-")); + assert!(!is_cors_safelisted_request_range(b"bytes=abc-def")); + assert!(!is_cors_safelisted_request_range(b"")); +} diff --git a/tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini b/tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini index e56f1bc1f35..144bd43677a 100644 --- a/tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini +++ b/tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini @@ -14,13 +14,6 @@ [Preflight for {"content-type":"application/x-www-form-urlencoded;"}] expected: FAIL - [No preflight for {"range":"bytes=100-200"}] - expected: FAIL - - [No preflight for {"range":"bytes=200-"}] - expected: FAIL - - [cors-safelisted-request-header.any.worker.html] [No preflight for {"content-type":"text/plain;garbage"}] expected: FAIL @@ -36,9 +29,3 @@ [Preflight for {"content-type":"application/x-www-form-urlencoded;"}] expected: FAIL - - [No preflight for {"range":"bytes=100-200"}] - expected: FAIL - - [No preflight for {"range":"bytes=200-"}] - expected: FAIL diff --git a/tests/wpt/meta/fetch/range/general.any.js.ini b/tests/wpt/meta/fetch/range/general.any.js.ini index b55af5e47e1..9fa34bfeeeb 100644 --- a/tests/wpt/meta/fetch/range/general.any.js.ini +++ b/tests/wpt/meta/fetch/range/general.any.js.ini @@ -1,14 +1,5 @@ [general.any.sharedworker.html] expected: ERROR -[general.any.html] - [Cross Origin Fetch with safe range header] - expected: FAIL - - [general.any.serviceworker.html] expected: ERROR - -[general.any.worker.html] - [Cross Origin Fetch with safe range header] - expected: FAIL