[#34767] - Range header is missing from CORS header safelist (#35138)

* implemented main feauter, created tests, and modified ini Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com> * corrected tidyness Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com> * Modified general.any.js.ini file Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com> * Removed PASSed tests from ini files Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com> --------- Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>
2025-08-07 14:35:33 +01:00 · 2025-01-24 18:31:27 +01:00 · 2025-01-24 18:31:27 +01:00 · fc1a093976
commit fc1a093976
parent ceebf99280
4 changed files with 46 additions and 22 deletions
--- a/components/shared/net/request.rs
+++ b/components/shared/net/request.rs
@ -728,10 +728,43 @@ pub fn is_cors_safelisted_request_header<N: AsRef<str>, V: AsRef<[u8]>>(
        "accept" => is_cors_safelisted_request_accept(value),
        "accept-language" | "content-language" => is_cors_safelisted_language(value),
        "content-type" => is_cors_safelisted_request_content_type(value),
+        "range" => is_cors_safelisted_request_range(value),
        _ => false,
    }
 }

+pub fn is_cors_safelisted_request_range(value: &[u8]) -> bool {
+    if let Ok(value_str) = std::str::from_utf8(value) {
+        return validate_range_header(value_str);
+    }
+    false
+}
+
+fn validate_range_header(value: &str) -> bool {
+    let trimmed = value.trim();
+    if !trimmed.starts_with("bytes=") {
+        return false;
+    }
+
+    if let Some(range) = trimmed.strip_prefix("bytes=") {
+        let mut parts = range.split('-');
+        let start = parts.next();
+        let end = parts.next();
+
+        if let Some(start) = start {
+            if let Ok(start_num) = start.parse::<u64>() {
+                return match end {
+                    Some(e) if !e.is_empty() => e
+                        .parse::<u64>()
+                        .map_or(false, |end_num| start_num <= end_num),
+                    _ => true,
+                };
+            }
+        }
+    }
+    false
+}
+
 /// <https://fetch.spec.whatwg.org/#cors-safelisted-method>
 pub fn is_cors_safelisted_method(m: &Method) -> bool {
    matches!(*m, Method::GET | Method::HEAD | Method::POST)
--- a/components/shared/net/tests/cors_safelisted_request_header.rs
+++ b/components/shared/net/tests/cors_safelisted_request_header.rs
@ -0,0 +1,13 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#[test]
+fn test_is_cors_safelisted_request_range() {
+    use net_traits::request::is_cors_safelisted_request_range;
+
+    assert!(is_cors_safelisted_request_range(b"bytes=100-200"));
+    assert!(is_cors_safelisted_request_range(b"bytes=200-"));
+    assert!(!is_cors_safelisted_request_range(b"bytes=abc-def"));
+    assert!(!is_cors_safelisted_request_range(b""));
+}