Fix bug with empty header values in Headers objects with "request-no-…

…cors" guard https://bugs.webkit.org/show_bug.cgi?id=251936 Reviewed by Youenn Fablet. The `canWriteHeader` function in `FetchHeaders.cpp` checks whether a header name and value are valid for the guard of a Headers object. However, for the "request-no-cors" guard, this check only applies if the combined value of that header name is not the empty string. This check is not in the fetch specification, and seems to be there because such validation is skipped for the "request-no-cors" guard when deleting a header, and in the spec this validation happens as if the combined value was the empty string. However, WebKit's implementation does not currently use this method when removing headers, and as shown here, this extra condition allows setting headers when they should not be allowed. * LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-headers.any-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-headers.any.js: * LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-headers.any.serviceworker-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-headers.any.sharedworker-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-headers.any.worker-expected.txt: * Source/WebCore/Modules/fetch/FetchHeaders.cpp: (WebCore::canWriteHeader): Canonical link: https://commits.webkit.org/260066@main
WebKit · Feb 9, 2023 · 2fbadf6 · 2fbadf6
1 parent d21c1cc
commit 2fbadf6
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 1 deletion.
diff --git a/...tTests/imported/w3c/web-platform-tests/fetch/api/request/request-headers.any-expected.txt b/...tTests/imported/w3c/web-platform-tests/fetch/api/request/request-headers.any-expected.txt
@@ -48,6 +48,7 @@ PASS Adding invalid no-cors request header "proxy: KO"
 PASS Adding invalid no-cors request header "proxya: KO"
 PASS Adding invalid no-cors request header "sec: KO"
 PASS Adding invalid no-cors request header "secb: KO"
+PASS Adding invalid no-cors request header "Empty-Value: "
 PASS Check that request constructor is filtering headers provided as init parameter
 PASS Check that no-cors request constructor is filtering headers provided as init parameter
 PASS Check that no-cors request constructor is filtering headers provided as part of request parameter

diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-headers.any.js b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-headers.any.js
@@ -58,6 +58,7 @@ var invalidRequestNoCorsHeaders = [
   ["proxya", "KO"],
   ["sec", "KO"],
   ["secb", "KO"],
+  ["Empty-Value", ""],
 ];
 
 validRequestHeaders.forEach(function(header) {

diff --git a/...d/w3c/web-platform-tests/fetch/api/request/request-headers.any.serviceworker-expected.txt b/...d/w3c/web-platform-tests/fetch/api/request/request-headers.any.serviceworker-expected.txt
@@ -48,6 +48,7 @@ PASS Adding invalid no-cors request header "proxy: KO"
 PASS Adding invalid no-cors request header "proxya: KO"
 PASS Adding invalid no-cors request header "sec: KO"
 PASS Adding invalid no-cors request header "secb: KO"
+PASS Adding invalid no-cors request header "Empty-Value: "
 PASS Check that request constructor is filtering headers provided as init parameter
 PASS Check that no-cors request constructor is filtering headers provided as init parameter
 PASS Check that no-cors request constructor is filtering headers provided as part of request parameter

diff --git a/...ed/w3c/web-platform-tests/fetch/api/request/request-headers.any.sharedworker-expected.txt b/...ed/w3c/web-platform-tests/fetch/api/request/request-headers.any.sharedworker-expected.txt
@@ -48,6 +48,7 @@ PASS Adding invalid no-cors request header "proxy: KO"
 PASS Adding invalid no-cors request header "proxya: KO"
 PASS Adding invalid no-cors request header "sec: KO"
 PASS Adding invalid no-cors request header "secb: KO"
+PASS Adding invalid no-cors request header "Empty-Value: "
 PASS Check that request constructor is filtering headers provided as init parameter
 PASS Check that no-cors request constructor is filtering headers provided as init parameter
 PASS Check that no-cors request constructor is filtering headers provided as part of request parameter

diff --git a/...imported/w3c/web-platform-tests/fetch/api/request/request-headers.any.worker-expected.txt b/...imported/w3c/web-platform-tests/fetch/api/request/request-headers.any.worker-expected.txt
@@ -48,6 +48,7 @@ PASS Adding invalid no-cors request header "proxy: KO"
 PASS Adding invalid no-cors request header "proxya: KO"
 PASS Adding invalid no-cors request header "sec: KO"
 PASS Adding invalid no-cors request header "secb: KO"
+PASS Adding invalid no-cors request header "Empty-Value: "
 PASS Check that request constructor is filtering headers provided as init parameter
 PASS Check that no-cors request constructor is filtering headers provided as init parameter
 PASS Check that no-cors request constructor is filtering headers provided as part of request parameter

diff --git a/Source/WebCore/Modules/fetch/FetchHeaders.cpp b/Source/WebCore/Modules/fetch/FetchHeaders.cpp
@@ -50,7 +50,7 @@ static ExceptionOr<bool> canWriteHeader(const String& name, const String& value,
         return Exception { TypeError, "Headers object's guard is 'immutable'"_s };
     if (guard == FetchHeaders::Guard::Request && isForbiddenHeader(name, value))
         return false;
-    if (guard == FetchHeaders::Guard::RequestNoCors && !combinedValue.isEmpty() && !isSimpleHeader(name, combinedValue))
+    if (guard == FetchHeaders::Guard::RequestNoCors && !isSimpleHeader(name, combinedValue))
         return false;
     if (guard == FetchHeaders::Guard::Response && isForbiddenResponseHeaderName(name))
         return false;