[#34767] - Range header is missing from CORS header safelist (#35138)

* implemented main feauter, created tests, and modified ini

Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>

* corrected tidyness

Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>

* Modified general.any.js.ini file

Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>

* Removed PASSed tests from ini files

Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>

---------

Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>

components/shared/net/request.rs

@@ -728,10 +728,43 @@ pub fn is_cors_safelisted_request_header<N: AsRef<str>, V: AsRef<[u8]>>(
         "accept" => is_cors_safelisted_request_accept(value),
         "accept-language" | "content-language" => is_cors_safelisted_language(value),
         "content-type" => is_cors_safelisted_request_content_type(value),
+        "range" => is_cors_safelisted_request_range(value),
         _ => false,
     }
 }
 
+pub fn is_cors_safelisted_request_range(value: &[u8]) -> bool {
+    if let Ok(value_str) = std::str::from_utf8(value) {
+        return validate_range_header(value_str);
+    }
+    false
+}
+
+fn validate_range_header(value: &str) -> bool {
+    let trimmed = value.trim();
+    if !trimmed.starts_with("bytes=") {
+        return false;
+    }
+
+    if let Some(range) = trimmed.strip_prefix("bytes=") {
+        let mut parts = range.split('-');
+        let start = parts.next();
+        let end = parts.next();
+
+        if let Some(start) = start {
+            if let Ok(start_num) = start.parse::<u64>() {
+                return match end {
+                    Some(e) if !e.is_empty() => e
+                        .parse::<u64>()
+                        .map_or(false, |end_num| start_num <= end_num),
+                    _ => true,
+                };
+            }
+        }
+    }
+    false
+}
+
 /// <https://fetch.spec.whatwg.org/#cors-safelisted-method>
 pub fn is_cors_safelisted_method(m: &Method) -> bool {
     matches!(*m, Method::GET | Method::HEAD | Method::POST)

components/shared/net/tests/cors_safelisted_request_header.rs

@@ -0,0 +1,13 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#[test]
+fn test_is_cors_safelisted_request_range() {
+    use net_traits::request::is_cors_safelisted_request_range;
+
+    assert!(is_cors_safelisted_request_range(b"bytes=100-200"));
+    assert!(is_cors_safelisted_request_range(b"bytes=200-"));
+    assert!(!is_cors_safelisted_request_range(b"bytes=abc-def"));
+    assert!(!is_cors_safelisted_request_range(b""));
+}

tests/wpt/meta/cors/cors-safelisted-request-header.any.js.ini

@@ -14,13 +14,6 @@
   [Preflight for {"content-type":"application/x-www-form-urlencoded;"}]
     expected: FAIL
 
-  [No preflight for {"range":"bytes=100-200"}]
-    expected: FAIL
-
-  [No preflight for {"range":"bytes=200-"}]
-    expected: FAIL
-
-
 [cors-safelisted-request-header.any.worker.html]
   [No preflight for {"content-type":"text/plain;garbage"}]
     expected: FAIL
@@ -36,9 +29,3 @@
 
   [Preflight for {"content-type":"application/x-www-form-urlencoded;"}]
     expected: FAIL
-
-  [No preflight for {"range":"bytes=100-200"}]
-    expected: FAIL
-
-  [No preflight for {"range":"bytes=200-"}]
-    expected: FAIL

tests/wpt/meta/fetch/range/general.any.js.ini

@@ -1,14 +1,5 @@
 [general.any.sharedworker.html]
   expected: ERROR
 
-[general.any.html]
-  [Cross Origin Fetch with safe range header]
-    expected: FAIL
-
-
 [general.any.serviceworker.html]
   expected: ERROR
-
-[general.any.worker.html]
-  [Cross Origin Fetch with safe range header]
-    expected: FAIL