Some slightly wrong Allow-Origin headers are producing load instead of error state, Servo is being lenient in ways URL-comparison is lenient

[pshaughn]

This is in WPT cors/remote-origin.htm. The client sends a simple cross-origin request encoding in an URL parameter the Allow-Origin header it wants to see from the server, and the server sends a response back with that header.

Specifically, uppercasing HTTP:, adding / to the end, or adding # to the end should make it be an error but doesn't.
These specific points of too-lenient matching suggest the possibility that it's using an URL string comparison instead of a more literal string comparison.

[pshaughn]

https://github.com/hyperium/headers/blob/c6be8bab9c9852581bccd03f89cdbe431195ca1c/src/common/origin.rs#L134 seems to be at fault here. Hyper's header code assumes an origin is shaped like an URL, calls an url parser, then gets parts out of the parsed URL, implicitly normalizing away the above-listed cases.

[pshaughn]

This seems like a definite error in Hyper, since it's doing other validation work, so I've let them know at hyperium/headers#57