Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upInclude "content-type" in cors safelisted request headers. #12915
Conversation
components/script/dom/headers.rs
Outdated
| match value_without_parameter { | ||
| "application/x-www-form-urlencoded" | | ||
| "multipart/form-data" | | ||
| "text/plain" => Ok(true), |
This comment has been minimized.
This comment has been minimized.
KiChjang
Aug 17, 2016
Member
I'm quite sad that all of this infrastructure isn't using the mime crate.
This comment has been minimized.
This comment has been minimized.
jeenalee
Aug 17, 2016
•
Author
Contributor
I didn't know about mime! Thanks for letting me know. Looks like it will be really helpful. I'll look into it.
This comment has been minimized.
This comment has been minimized.
Manishearth
Aug 18, 2016
•
Member
Yes. We should parse the value first, and operate on the parsed Header instance, matching on its type.
This is important because some of the other headers (e.g. Downlink) are only safe if they are parsed correctly.
This comment has been minimized.
This comment has been minimized.
Manishearth
Aug 18, 2016
Member
Actually, hyper doesn't expose clean APIs for dealing with this, so for now it's fine if you just parse as mime type and ignore the others.
|
Hi @Manishearth, I updated the script to use the mime crate. When you have a moment, can you review it please? Thanks! |
components/script/dom/headers.rs
Outdated
| if self.guard.get() == Guard::RequestNoCors && !is_cors_safelisted_request_header(&valid_name) { | ||
| return Ok(()); | ||
| } | ||
| // TODO: Requires clarification from the spec. |
This comment has been minimized.
This comment has been minimized.
components/script/dom/headers.rs
Outdated
| // "DPR", "Downlink", "Save-Data", "Viewport-Width", "Width": | ||
| // once parsed, the value should not be failure. | ||
| fn is_cors_safelisted_request_content_type(value: &[u8]) -> Result<bool, Error> { | ||
| let value_string = try!(str::from_utf8(value).map_err( |
This comment has been minimized.
This comment has been minimized.
Manishearth
Aug 22, 2016
•
Member
The error doesn't get used in the end. What about
let value_string = if let Ok(s) = str::from_utf8(value) {
s
} else {
return false;
}
and then just return a bool
|
r=me with those two issues fixed |
This commit allows headers with "content-type" name to be classified as valid header name, depending on its value according to [the Fetch spec](https://fetch.spec.whatwg.org/#cors-safelisted-request-header). As a result of this change, more request web platform tests pass, whose expected test results are updated with this commit.
|
@Manishearth The two issues have been fixed. Thank you! |
|
@bors-servo r+ |
|
|
bors-servo
added a commit
that referenced
this pull request
Aug 22, 2016
Include "content-type" in cors safelisted request headers. <!-- Please describe your changes on the following line: --> The changes in headers.rs will allow headers with "content-type" name to be classified as cors safelisted request headers, depending on its value according to [the Fetch spec](https://fetch.spec.whatwg.org/#cors-safelisted-request-header). As a result of this change, more request web platform tests pass, whose expected test results are updated with this commit. There is possibly one TODO related to this PR: - Figure out what `name/'invalid'` is in step 4 of the [Headers Delete method](https://fetch.spec.whatwg.org/#dom-headers-delete), and how to implement that. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [ ] These changes fix #__ (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes OR - [X] These changes do not require tests because web platform tests for the changes already exist. <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> This commit allows headers with "content-type" name to be classified as valid header name, depending on its value according to [the Fetch spec](https://fetch.spec.whatwg.org/#cors-safelisted-request-header). As a result of this change, more request web platform tests pass, whose expected test results are updated as well. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/12915) <!-- Reviewable:end -->
|
|
highfive
commented
Aug 22, 2016
|
|
Hmm, the |
|
@bors-servo retry |
|
|
|
|
highfive
commented
Aug 22, 2016
|
|
@bors-servo: retry |
jeenalee
added a commit
to jeenalee/servo
that referenced
this pull request
Aug 22, 2016
The version that includes "content-type" in valid header name is from [PR 12915](servo#12915).
bors-servo
added a commit
that referenced
this pull request
Aug 22, 2016
Include "content-type" in cors safelisted request headers. <!-- Please describe your changes on the following line: --> The changes in headers.rs will allow headers with "content-type" name to be classified as cors safelisted request headers, depending on its value according to [the Fetch spec](https://fetch.spec.whatwg.org/#cors-safelisted-request-header). As a result of this change, more request web platform tests pass, whose expected test results are updated with this commit. There is possibly one TODO related to this PR: - Figure out what `name/'invalid'` is in step 4 of the [Headers Delete method](https://fetch.spec.whatwg.org/#dom-headers-delete), and how to implement that. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [ ] These changes fix #__ (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes OR - [X] These changes do not require tests because web platform tests for the changes already exist. <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> This commit allows headers with "content-type" name to be classified as valid header name, depending on its value according to [the Fetch spec](https://fetch.spec.whatwg.org/#cors-safelisted-request-header). As a result of this change, more request web platform tests pass, whose expected test results are updated as well. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/12915) <!-- Reviewable:end -->
|
|
|
@bors-servo: retry |
|
|
bors-servo
added a commit
that referenced
this pull request
Aug 23, 2016
Include "content-type" in cors safelisted request headers. <!-- Please describe your changes on the following line: --> The changes in headers.rs will allow headers with "content-type" name to be classified as cors safelisted request headers, depending on its value according to [the Fetch spec](https://fetch.spec.whatwg.org/#cors-safelisted-request-header). As a result of this change, more request web platform tests pass, whose expected test results are updated with this commit. There is possibly one TODO related to this PR: - Figure out what `name/'invalid'` is in step 4 of the [Headers Delete method](https://fetch.spec.whatwg.org/#dom-headers-delete), and how to implement that. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [ ] These changes fix #__ (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes OR - [X] These changes do not require tests because web platform tests for the changes already exist. <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> This commit allows headers with "content-type" name to be classified as valid header name, depending on its value according to [the Fetch spec](https://fetch.spec.whatwg.org/#cors-safelisted-request-header). As a result of this change, more request web platform tests pass, whose expected test results are updated as well. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/12915) <!-- Reviewable:end -->
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
jeenalee commentedAug 17, 2016
•
edited
The changes in headers.rs will allow headers with "content-type" name to be classified as cors safelisted request headers, depending on its value according to the Fetch spec. As a result of this change, more request web platform tests pass, whose expected test results are updated with this commit.
There is possibly one TODO related to this PR:
name/'invalid'is in step 4 of the Headers Delete method, and how to implement that../mach build -ddoes not report any errors./mach test-tidydoes not report any errorsThis commit allows headers with "content-type" name to be classified as valid header name, depending on its value according to the Fetch spec. As a result of this change, more request web platform tests pass, whose expected test results are updated as well.
This change is