-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content-Type preflight safelisting gets some cases wrong. #25175
Comments
Some of this is happening inside Hyper's MIME crate but I can at least add the concept of a cors-unsafe character. |
Hey @pshaughn! Thanks for your interest in working on this issue. It's now assigned to you! |
This is going up higher than I expected; we never even get to the safelist-checker, because the net_traits requests in this test always end up in RequestMode::CorsMode by the time we construct the DOM request. I'm looking for where that happens now. |
I am mistaken: we get to a safelist checker. #25235 had me looking at the wrong one. |
I have implemented some checks for the CORS-unsafe characters, but the headers have been stored in a HeaderMap, which quietly strips out the unsafe characters on its own, so when the headers are iterated later they are not there to trigger preflight. I'll check those changes in as part of #25235 but this issue is not being solved by them. |
De-deplicate is_cors_safelisted_request_header helper functions <!-- Please describe your changes on the following line: --> Separate is_cors_safelisted_request_header implementations in script::dom::request and net::fetch::methods have been merged to a single implementation in net_traits::request, with additional logic for spec requirements that weren't previously there. This doesn't pass all the failing tests, but it doesn't fail any passing ones either and it reduces confusion about what's supposed to happen where. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #25235 and some but not all subcases in #25175 <!-- Either: --> - [X] There are tests for these changes, in that the WPT CORS tests that did already pass still do <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
HeaderMap also seems to have a different interpretation of what it means to insert a header than WHATWG does. When I assumed it had the same interpretation and adjusted the Servo code around it, I ended up with crashes, so I've left the part that calls HeaderMap's insert unchanged and a few tests I'd have liked to fix are failing for that reason. The way headers are normalized in the course of constructing and operating on a DOM request seems to be different in many places from how they're used in an actual http transaction, or at least from how hyper uses them. I'm not sure it makes architectural sense to use the same HeaderMap class in both places. |
De-deplicate is_cors_safelisted_request_header helper functions <!-- Please describe your changes on the following line: --> Separate is_cors_safelisted_request_header implementations in script::dom::request and net::fetch::methods have been merged to a single implementation in net_traits::request, with additional logic for spec requirements that weren't previously there. This doesn't pass all the failing tests, but it doesn't fail any passing ones either and it reduces confusion about what's supposed to happen where. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #25235 and some but not all subcases in #25175 <!-- Either: --> - [X] There are tests for these changes, in that the WPT CORS tests that did already pass still do <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
De-deplicate is_cors_safelisted_request_header helper functions <!-- Please describe your changes on the following line: --> Separate is_cors_safelisted_request_header implementations in script::dom::request and net::fetch::methods have been merged to a single implementation in net_traits::request, with additional logic for spec requirements that weren't previously there. This doesn't pass all the failing tests, but it doesn't fail any passing ones either and it reduces confusion about what's supposed to happen where. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #25235 and some but not all subcases in #25175 <!-- Either: --> - [X] There are tests for these changes, in that the WPT CORS tests that did already pass still do <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
De-deplicate is_cors_safelisted_request_header helper functions <!-- Please describe your changes on the following line: --> Separate is_cors_safelisted_request_header implementations in script::dom::request and net::fetch::methods have been merged to a single implementation in net_traits::request, with additional logic for spec requirements that weren't previously there. This doesn't pass all the failing tests, but it doesn't fail any passing ones either and it reduces confusion about what's supposed to happen where. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #25235 and some but not all subcases in #25175 <!-- Either: --> - [X] There are tests for these changes, in that the WPT CORS tests that did already pass still do <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
De-deplicate is_cors_safelisted_request_header helper functions <!-- Please describe your changes on the following line: --> Separate is_cors_safelisted_request_header implementations in script::dom::request and net::fetch::methods have been merged to a single implementation in net_traits::request, with additional logic for spec requirements that weren't previously there. This doesn't pass all the failing tests, but it doesn't fail any passing ones either and it reduces confusion about what's supposed to happen where. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #25235 and some but not all subcases in #25175 <!-- Either: --> - [X] There are tests for these changes, in that the WPT CORS tests that did already pass still do <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
De-deplicate is_cors_safelisted_request_header helper functions <!-- Please describe your changes on the following line: --> Separate is_cors_safelisted_request_header implementations in script::dom::request and net::fetch::methods have been merged to a single implementation in net_traits::request, with additional logic for spec requirements that weren't previously there. This doesn't pass all the failing tests, but it doesn't fail any passing ones either and it reduces confusion about what's supposed to happen where. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #25235 and some but not all subcases in #25175 <!-- Either: --> - [X] There are tests for these changes, in that the WPT CORS tests that did already pass still do <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
De-deplicate is_cors_safelisted_request_header helper functions <!-- Please describe your changes on the following line: --> Separate is_cors_safelisted_request_header implementations in script::dom::request and net::fetch::methods have been merged to a single implementation in net_traits::request, with additional logic for spec requirements that weren't previously there. This doesn't pass all the failing tests, but it doesn't fail any passing ones either and it reduces confusion about what's supposed to happen where. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #25235 and some but not all subcases in #25175 <!-- Either: --> - [X] There are tests for these changes, in that the WPT CORS tests that did already pass still do <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
WPT cors/cors-safelisted-request-header.any.js (seen as .any.html in test results) tests this.
Case "text/plain;garbage" appears to trigger preflighting when it shouldn't, unless it's causing some other unrelated NetworkError. This should be safelisted because it consists only of CORS-safe ASCII and it is an essence match for text/plain.
All the cases with CORS-unsafe characters appear to bypass preflighting when they should trigger it, even "text/plain;garbage\u0001\u0002".
The text was updated successfully, but these errors were encountered: