Bug 1508661 - origin header should not be set for GET and HEAD requests, r=asuth

2018-11-21 11:33:47 +01:00 · 2018-11-21 11:33:47 +01:00 · 89f6169d5f
--- a/dom/fetch/FetchDriver.cpp
+++ b/dom/fetch/FetchDriver.cpp
@ -1477,7 +1477,9 @@ FetchDriver::SetRequestHeaders(nsIHttpChannel* aChannel) const
    MOZ_ASSERT(NS_SUCCEEDED(rv));
  }

-  if (mRequest->ForceOriginHeader()) {
+  nsAutoCString method;
+  mRequest->GetMethod(method);
+  if (!method.EqualsLiteral("GET") && !method.EqualsLiteral("HEAD")) {
    nsAutoString origin;
    if (NS_SUCCEEDED(nsContentUtils::GetUTFOrigin(mPrincipal, origin))) {
      DebugOnly<nsresult> rv =
--- a/dom/fetch/InternalRequest.cpp
+++ b/dom/fetch/InternalRequest.cpp
@ -31,7 +31,6 @@ InternalRequest::GetRequestConstructorCopy(nsIGlobalObject* aGlobal, ErrorResult
  copy->SetUnsafeRequest();
  copy->mBodyStream = mBodyStream;
  copy->mBodyLength = mBodyLength;
-  copy->mForceOriginHeader = true;
  // The "client" is not stored in our implementation. Fetch API users should
  // use the appropriate window/document/principal and other Gecko security
  // mechanisms as appropriate.
@ -95,7 +94,6 @@ InternalRequest::InternalRequest(const nsACString& aURL,
  , mRedirectMode(RequestRedirect::Follow)
  , mMozErrors(false)
  , mAuthenticationFlag(false)
-  , mForceOriginHeader(false)
  , mPreserveContentCodings(false)
    // FIXME(nsm): This should be false by default, but will lead to the
    // algorithm never loading data: URLs right now. See Bug 1018872 about
@ -137,7 +135,6 @@ InternalRequest::InternalRequest(const nsACString& aURL,
  , mIntegrity(aIntegrity)
  , mMozErrors(false)
  , mAuthenticationFlag(false)
-  , mForceOriginHeader(false)
  , mPreserveContentCodings(false)
    // FIXME See the above comment in the default constructor.
  , mSameOriginDataURL(true)
@ -167,7 +164,6 @@ InternalRequest::InternalRequest(const InternalRequest& aOther)
  , mMozErrors(aOther.mMozErrors)
  , mFragment(aOther.mFragment)
  , mAuthenticationFlag(aOther.mAuthenticationFlag)
-  , mForceOriginHeader(aOther.mForceOriginHeader)
  , mPreserveContentCodings(aOther.mPreserveContentCodings)
  , mSameOriginDataURL(aOther.mSameOriginDataURL)
  , mSkipServiceWorker(aOther.mSkipServiceWorker)
--- a/dom/fetch/InternalRequest.h
+++ b/dom/fetch/InternalRequest.h
@ -450,12 +450,6 @@ public:
    return mHeaders;
  }

-  bool
-  ForceOriginHeader()
-  {
-    return mForceOriginHeader;
-  }
-
  bool
  SameOriginDataURL() const
  {
@ -650,7 +644,6 @@ private:
  bool mMozErrors;
  nsCString mFragment;
  MOZ_INIT_OUTSIDE_CTOR bool mAuthenticationFlag;
-  MOZ_INIT_OUTSIDE_CTOR bool mForceOriginHeader;
  MOZ_INIT_OUTSIDE_CTOR bool mPreserveContentCodings;
  MOZ_INIT_OUTSIDE_CTOR bool mSameOriginDataURL;
  MOZ_INIT_OUTSIDE_CTOR bool mSkipServiceWorker;
--- a/testing/web-platform/meta/cookies/samesite/fetch.html.ini
+++ b/testing/web-platform/meta/cookies/samesite/fetch.html.ini
@ -2,15 +2,9 @@
  [Untitled]
    expected: FAIL

-  [Subdomain redirecting to same-host fetches are strictly same-site]
-    expected: FAIL
-
  [Cross-site redirecting to same-host fetches are strictly same-site]
    expected: FAIL

  [Cross-site redirecting to subdomain fetches are strictly same-site]
    expected: FAIL

-  [Subdomain redirecting to cross-site fetches are cross-site]
-    expected: FAIL
-
--- a/testing/web-platform/meta/fetch/api/basic/request-headers.any.js.ini
+++ b/testing/web-platform/meta/fetch/api/basic/request-headers.any.js.ini
@ -1,21 +0,0 @@
-[request-headers.any.worker.html]
-  [Fetch with GET]
-    expected: FAIL
-
-  [Fetch with HEAD]
-    expected: FAIL
-
-  [Fetch with GET and mode "cors" does not need an Origin header]
-    expected: FAIL
-
-
-[request-headers.any.html]
-  [Fetch with GET]
-    expected: FAIL
-
-  [Fetch with HEAD]
-    expected: FAIL
-
-  [Fetch with GET and mode "cors" does not need an Origin header]
-    expected: FAIL
-
--- a/testing/web-platform/meta/fetch/api/cors/cors-cookies-redirect.any.js.ini
+++ b/testing/web-platform/meta/fetch/api/cors/cors-cookies-redirect.any.js.ini
@ -1,15 +0,0 @@
-[cors-cookies-redirect.any.worker.html]
-  [Testing credentials after cross-origin redirection with CORS and no preflight]
-    expected: FAIL
-
-  [Testing credentials after cross-origin redirection with CORS and preflight]
-    expected: FAIL
-
-
-[cors-cookies-redirect.any.html]
-  [Testing credentials after cross-origin redirection with CORS and no preflight]
-    expected: FAIL
-
-  [Testing credentials after cross-origin redirection with CORS and preflight]
-    expected: FAIL
-
--- a/testing/web-platform/meta/fetch/api/cors/cors-redirect.any.js.ini
+++ b/testing/web-platform/meta/fetch/api/cors/cors-redirect.any.js.ini
@ -1,63 +0,0 @@
-[cors-redirect.any.html]
-  [Redirect 301: cors to another cors]
-    expected: FAIL
-
-  [Redirect 301: cors to same origin]
-    expected: FAIL
-
-  [Redirect 302: cors to another cors]
-    expected: FAIL
-
-  [Redirect 302: cors to same origin]
-    expected: FAIL
-
-  [Redirect 303: cors to another cors]
-    expected: FAIL
-
-  [Redirect 303: cors to same origin]
-    expected: FAIL
-
-  [Redirect 307: cors to another cors]
-    expected: FAIL
-
-  [Redirect 307: cors to same origin]
-    expected: FAIL
-
-  [Redirect 308: cors to another cors]
-    expected: FAIL
-
-  [Redirect 308: cors to same origin]
-    expected: FAIL
-
-
-[cors-redirect.any.worker.html]
-  [Redirect 301: cors to another cors]
-    expected: FAIL
-
-  [Redirect 301: cors to same origin]
-    expected: FAIL
-
-  [Redirect 302: cors to another cors]
-    expected: FAIL
-
-  [Redirect 302: cors to same origin]
-    expected: FAIL
-
-  [Redirect 303: cors to another cors]
-    expected: FAIL
-
-  [Redirect 303: cors to same origin]
-    expected: FAIL
-
-  [Redirect 307: cors to another cors]
-    expected: FAIL
-
-  [Redirect 307: cors to same origin]
-    expected: FAIL
-
-  [Redirect 308: cors to another cors]
-    expected: FAIL
-
-  [Redirect 308: cors to same origin]
-    expected: FAIL
-
--- a/testing/web-platform/meta/fetch/api/redirect/redirect-origin.any.js.ini
+++ b/testing/web-platform/meta/fetch/api/redirect/redirect-origin.any.js.ini
@ -1,63 +0,0 @@
-[redirect-origin.any.html]
-  [Same origin to same origin redirection 301]
-    expected: FAIL
-
-  [Other origin to same origin redirection 301]
-    expected: FAIL
-
-  [Same origin to same origin redirection 302]
-    expected: FAIL
-
-  [Other origin to same origin redirection 302]
-    expected: FAIL
-
-  [Same origin to same origin redirection 303]
-    expected: FAIL
-
-  [Other origin to same origin redirection 303]
-    expected: FAIL
-
-  [Same origin to same origin redirection 307]
-    expected: FAIL
-
-  [Other origin to same origin redirection 307]
-    expected: FAIL
-
-  [Same origin to same origin redirection 308]
-    expected: FAIL
-
-  [Other origin to same origin redirection 308]
-    expected: FAIL
-
-
-[redirect-origin.any.worker.html]
-  [Same origin to same origin redirection 301]
-    expected: FAIL
-
-  [Other origin to same origin redirection 301]
-    expected: FAIL
-
-  [Same origin to same origin redirection 302]
-    expected: FAIL
-
-  [Other origin to same origin redirection 302]
-    expected: FAIL
-
-  [Same origin to same origin redirection 303]
-    expected: FAIL
-
-  [Other origin to same origin redirection 303]
-    expected: FAIL
-
-  [Same origin to same origin redirection 307]
-    expected: FAIL
-
-  [Other origin to same origin redirection 307]
-    expected: FAIL
-
-  [Same origin to same origin redirection 308]
-    expected: FAIL
-
-  [Other origin to same origin redirection 308]
-    expected: FAIL
-