Bug 1460299 - Add content-length as a CORS-safelisted response header. r=valentin,baku

Reference: https://fetch.spec.whatwg.org/#cors-safelisted-response-header Differential Revision: https://phabricator.services.mozilla.com/D58492
2021-02-15 12:51:33 +00:00 · 2021-02-15 12:51:33 +00:00 · 3285e68438
--- a/dom/fetch/InternalHeaders.cpp
+++ b/dom/fetch/InternalHeaders.cpp
@ -552,6 +552,7 @@ already_AddRefed<InternalHeaders> InternalHeaders::CORSHeaders(
    } else if (entry.mName.EqualsIgnoreCase("cache-control") ||
               entry.mName.EqualsIgnoreCase("content-language") ||
               entry.mName.EqualsIgnoreCase("content-type") ||
+               entry.mName.EqualsIgnoreCase("content-length") ||
               entry.mName.EqualsIgnoreCase("expires") ||
               entry.mName.EqualsIgnoreCase("last-modified") ||
               entry.mName.EqualsIgnoreCase("pragma") ||
--- a/dom/xhr/XMLHttpRequestMainThread.cpp
+++ b/dom/xhr/XMLHttpRequestMainThread.cpp
@ -1073,9 +1073,9 @@ bool XMLHttpRequestMainThread::IsSafeHeader(
      return false;
    }
  }
-  const char* kCrossOriginSafeHeaders[] = {"cache-control", "content-language",
-                                           "content-type",  "expires",
-                                           "last-modified", "pragma"};
+  const char* kCrossOriginSafeHeaders[] = {
+      "cache-control", "content-language", "content-type", "content-length",
+      "expires",       "last-modified",    "pragma"};
  for (uint32_t i = 0; i < ArrayLength(kCrossOriginSafeHeaders); ++i) {
    if (aHeader.LowerCaseEqualsASCII(kCrossOriginSafeHeaders[i])) {
      return true;
--- a/testing/web-platform/meta/fetch/api/cors/cors-filtering.sub.any.js.ini
+++ b/testing/web-platform/meta/fetch/api/cors/cors-filtering.sub.any.js.ini
@ -1,9 +1,9 @@
 [cors-filtering.sub.any.worker.html]
  [CORS filter on Content-Length header]
-    expected: FAIL
+    expected: PASS


 [cors-filtering.sub.any.html]
  [CORS filter on Content-Length header]
-    expected: FAIL
+    expected: PASS

--- a/testing/web-platform/tests/cors/resources/cors-headers.asis
+++ b/testing/web-platform/tests/cors/resources/cors-headers.asis
@ -4,6 +4,7 @@ Access-Control-Expose-Headers: X-Custom-Header, X-Custom-Header-Empty, X-Custom-
 Access-Control-Expose-Headers: X-Second-Expose
 Access-Control-Expose-Headers: Date
 Content-Type: text/plain
+Content-Length: 4
 X-Custom-Header: test
 X-Custom-Header: test
 Set-Cookie: test1=t1;max-age=2
--- a/testing/web-platform/tests/cors/response-headers.htm
+++ b/testing/web-platform/tests/cors/response-headers.htm
@ -44,6 +44,8 @@ default_readable("Content-Language", "nn");
 default_readable("Expires", "Thu, 01 Dec 1994 16:00:00 GMT");
 default_readable("Last-Modified", "Thu, 01 Dec 1994 10:00:00 GMT");
 default_readable("Pragma", "no-cache");
+default_readable("Content-Length", "4");
+default_readable("Content-Type", "text/plain");


 function default_unreadable(head) {
--- a/testing/web-platform/tests/xhr/access-control-basic-cors-safelisted-response-headers.htm
+++ b/testing/web-platform/tests/xhr/access-control-basic-cors-safelisted-response-headers.htm
@ -18,6 +18,7 @@
      assert_not_equals(xhr.getResponseHeader("cache-control"), null);
      assert_not_equals(xhr.getResponseHeader("content-language"), null);
      assert_not_equals(xhr.getResponseHeader("content-type"), null);
+      assert_not_equals(xhr.getResponseHeader("content-length"), null);
      assert_not_equals(xhr.getResponseHeader("expires"), null);
      assert_not_equals(xhr.getResponseHeader("last-modified"), null);
      assert_not_equals(xhr.getResponseHeader("pragma"), null);