Handle access-control header wildcards

servo · Feb 14, 2020 · 739f09e · 739f09e
1 parent 4f36472
commit 739f09e
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 29 deletions.
diff --git a/components/net/fetch/methods.rs b/components/net/fetch/methods.rs
@@ -340,15 +340,16 @@ pub fn main_fetch(
                 .map(|v| v.iter().collect());
             match header_names {
                 // Subsubstep 2.
-                Some(ref list) if request.credentials_mode != CredentialsMode::Include => {
-                    if list.len() == 1 && list[0] == "*" {
-                        response.cors_exposed_header_name_list = response
-                            .headers
-                            .iter()
-                            .map(|(name, _)| name.as_str().to_owned())
-                            .collect();
-                    }
-                },
+                Some(ref list)
+                    if request.credentials_mode != CredentialsMode::Include &&
+                        list.iter().any(|header| header == "*") =>
+                {
+                    response.cors_exposed_header_name_list = response
+                        .headers
+                        .iter()
+                        .map(|(name, _)| name.as_str().to_owned())
+                        .collect();
+                }
                 // Subsubstep 3.
                 Some(list) => {
                     response.cors_exposed_header_name_list =

diff --git a/components/net_traits/response.rs b/components/net_traits/response.rs
@@ -6,7 +6,7 @@
 //! resulting from a [fetch operation](https://fetch.spec.whatwg.org/#concept-fetch)
 use crate::{FetchMetadata, FilteredMetadata, Metadata, NetworkError, ReferrerPolicy};
 use crate::{ResourceFetchTiming, ResourceTimingType};
-use headers::{AccessControlExposeHeaders, ContentType, HeaderMapExt};
+use headers::{ContentType, HeaderMapExt};
 use http::{HeaderMap, StatusCode};
 use hyper_serde::Serde;
 use servo_arc::Arc;
@@ -241,6 +241,7 @@ impl Response {
         }
 
         let old_headers = old_response.headers.clone();
+        let exposed_headers = old_response.cors_exposed_header_name_list.clone();
         let mut response = old_response.clone();
         response.internal_response = Some(Box::new(old_response));
         response.response_type = filter_type;
@@ -266,10 +267,7 @@ impl Response {
                         "expires" | "last-modified" | "pragma" => true,
                         "set-cookie" | "set-cookie2" => false,
                         header => {
-                            let access = old_headers.typed_get::<AccessControlExposeHeaders>();
-                            let result = access
-                                .and_then(|v| v.iter().find(|h| *header == h.as_str().to_ascii_lowercase()));
-                            result.is_some()
+                            exposed_headers.iter().any(|h| *header == h.as_str().to_ascii_lowercase())
                         }
                     }
                 }).map(|(n, v)| (n.clone(), v.clone())).collect();

diff --git a/tests/wpt/metadata/fetch/api/cors/cors-expose-star.sub.any.js.ini b/tests/wpt/metadata/fetch/api/cors/cors-expose-star.sub.any.js.ini