mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1687364 - Authorization header can't be wildcarded for Access-Control-Allow-Headers r=necko-reviewers,dragana 

Differential Revision: https://phabricator.services.mozilla.com/D102932
This commit is contained in:
Kershaw Chang 2021-02-02 18:39:32 +00:00
Родитель efc1960325
Коммит 5c2914628b
2 изменённых файлов: 71 добавлений и 13 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

55
dom/security/test/cors/test_CrossSiteXHR.html
Просмотреть файл

@ -413,6 +413,57 @@ function* runTest() {
headers: { "x-my-header": "myValue" },
allowHeaders: "x-my-header, $_%",
},
// Test cases for "Access-Control-Allow-Headers" containing "*".
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "x-my-header": "myValue" },
allowHeaders: "*",
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "x-my-header": "myValue",
"Authorization": "12345" },
allowHeaders: "*, Authorization",
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "x-my-header": "myValue",
"Authorization": "12345" },
allowHeaders: "Authorization, *",
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "x-my-header": "myValue",
"Authorization": "12345" },
allowHeaders: "*",
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "x-my-header": "myValue",
"Authorization": "12345" },
allowHeaders: "x-my-header",
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "*": "myValue" },
allowHeaders: "*",
withCred: 1,
allowCred: 1,
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "x-my-header": "myValue" },
allowHeaders: "*",
withCred: 1,
allowCred: 1,
},
// Other methods
{ pass: 1,
@ -640,6 +691,7 @@ function* runTest() {
uploadProgress: test.uploadProgress,
body: test.body,
responseHeaders: test.responseHeaders,
withCred: test.withCred ? test.withCred : 0,
};
if (test.pass) {
@ -658,6 +710,9 @@ function* runTest() {
if (test.noAllowPreflight)
req.url += "&noAllowPreflight";
if (test.allowCred)
req.url += "&allowCred";
if (test.pass && "headers" in test) {
function isUnsafeHeader(name) {
lName = name.toLowerCase();

29
netwerk/protocol/http/nsCORSListenerProxy.cpp
Просмотреть файл

@ -1321,7 +1321,7 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved(
Unused << http->GetResponseHeader("Access-Control-Allow-Headers"_ns,
headerVal);
nsTArray<nsCString> headers;
bool allowAllHeaders = false;
bool wildcard = false;
for (const nsACString& header :
nsCCharSeparatedTokenizer(headerVal, ',').ToRange()) {
if (header.IsEmpty()) {
@ -1334,24 +1334,27 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved(
parentHttpChannel);
return NS_ERROR_DOM_BAD_URI;
}
if (header.EqualsLiteral("*") && !mWithCredentials) {
allowAllHeaders = true;
wildcard = true;
} else {
headers.AppendElement(header);
}
}
if (!allowAllHeaders) {
for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) {
const auto& comparator = nsCaseInsensitiveCStringArrayComparator();
if (!headers.Contains(mPreflightHeaders[i], comparator)) {
LogBlockedRequest(
aRequest, "CORSMissingAllowHeaderFromPreflight2",
NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get(),
nsILoadInfo::BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT,
parentHttpChannel);
return NS_ERROR_DOM_BAD_URI;
}
for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) {
if (wildcard &&
!mPreflightHeaders[i].LowerCaseEqualsASCII("authorization")) {
continue;
}
const auto& comparator = nsCaseInsensitiveCStringArrayComparator();
if (!headers.Contains(mPreflightHeaders[i], comparator)) {
LogBlockedRequest(
aRequest, "CORSMissingAllowHeaderFromPreflight2",
NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get(),
nsILoadInfo::BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT,
parentHttpChannel);
return NS_ERROR_DOM_BAD_URI;
}
}