Bug 1607615 - Allow CORS preflights with a default of 5 seconds for expiry if Access-Control-Max-Age hasn't been sent; r=mayhemer

The default expiry value is chosen based on what Chromium uses:
https://source.chromium.org/chromium/chromium/src/+/master:services/network/public/cpp/cors/preflight_result.cc;l=27;drc=529117e5ed802c91a5cf192a72b4097d27fcb928?originalUrl=https:%2F%2Fcs.chromium.org%2F

Differential Revision: https://phabricator.services.mozilla.com/D59032

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Ehsan Akhgari 2020-01-14 17:13:11 +00:00
Родитель 990e94f89b
Коммит b2cfa59626
4 изменённых файлов: 54 добавлений и 23 удалений

Просмотреть файл

@ -63,7 +63,7 @@ function* runTest() {
headers: { "y-my-header": "hello" },
allowHeaders: "y-my-header",
},
{ pass: 0,
{ pass: 1,
method: "GET",
headers: { "y-my-header": "hello" },
},
@ -73,6 +73,21 @@ function* runTest() {
allowHeaders: "y-my-header,x-my-header",
cacheTime: 3600,
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "myValue",
"y-my-header": "second" },
},
{ newTest: "*******" },
{ pass: 1,
method: "GET",
headers: { "y-my-header": "hello" },
allowHeaders: "y-my-header,x-my-header",
},
{ pass: 1,
method: "GET",
headers: { "y-my-header": "hello" },
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue",
@ -224,7 +239,7 @@ function* runTest() {
method: "PATCH",
allowMethods: "PATCH",
},
{ pass: 0,
{ pass: 1,
method: "PATCH",
},
{ pass: 1,
@ -242,6 +257,15 @@ function* runTest() {
method: "PUT",
},
{ newTest: "*******" },
{ pass: 1,
method: "PATCH",
allowMethods: "PATCH",
cacheTime: 3600,
},
{ pass: 1,
method: "PATCH",
},
{ newTest: "*******" },
{ pass: 0,
method: "DELETE",
},

Просмотреть файл

@ -50,6 +50,8 @@ using namespace mozilla;
using namespace mozilla::net;
#define PREFLIGHT_CACHE_SIZE 100
// 5 seconds is chosen to be compatible with Chromium.
#define PREFLIGHT_DEFAULT_EXPIRY_SECONDS 5
static void LogBlockedRequest(nsIRequest* aRequest, const char* aProperty,
const char16_t* aParam, uint32_t aBlockingReason,
@ -1112,27 +1114,27 @@ void nsCORSPreflightListener::AddResultToCache(nsIRequest* aRequest) {
// The "Access-Control-Max-Age" header should return an age in seconds.
nsAutoCString headerVal;
uint32_t age = 0;
Unused << http->GetResponseHeader(
NS_LITERAL_CSTRING("Access-Control-Max-Age"), headerVal);
if (headerVal.IsEmpty()) {
return;
}
// Sanitize the string. We only allow 'delta-seconds' as specified by
// http://dev.w3.org/2006/waf/access-control (digits 0-9 with no leading or
// trailing non-whitespace characters).
uint32_t age = 0;
nsACString::const_char_iterator iter, end;
headerVal.BeginReading(iter);
headerVal.EndReading(end);
while (iter != end) {
if (*iter < '0' || *iter > '9') {
return;
age = PREFLIGHT_DEFAULT_EXPIRY_SECONDS;
} else {
// Sanitize the string. We only allow 'delta-seconds' as specified by
// http://dev.w3.org/2006/waf/access-control (digits 0-9 with no leading or
// trailing non-whitespace characters).
nsACString::const_char_iterator iter, end;
headerVal.BeginReading(iter);
headerVal.EndReading(end);
while (iter != end) {
if (*iter < '0' || *iter > '9') {
return;
}
age = age * 10 + (*iter - '0');
// Cap at 24 hours. This also avoids overflow
age = std::min(age, 86400U);
++iter;
}
age = age * 10 + (*iter - '0');
// Cap at 24 hours. This also avoids overflow
age = std::min(age, 86400U);
++iter;
}
if (!age || !EnsurePreflightCache()) {

Просмотреть файл

@ -1,4 +0,0 @@
[preflight-cache.htm]
[preflight for x-print should be cached]
expected: FAIL

Просмотреть файл

@ -60,6 +60,15 @@ test(function() {
},
'preflight for x-print should be cached')
test(function() {
var time = new Date().getTime()
var client = new XMLHttpRequest()
var id = did_preflight(true, client, {extra:'max_age='})
did_preflight(false, client, {extra:'max_age=', token: id})
},
'age = blank, should be cached')
test(function() {
var time = new Date().getTime()
var client = new XMLHttpRequest()