Bug 1607615 - Allow CORS preflights with a default of 5 seconds for expiry if Access-Control-Max-Age hasn't been sent; r=mayhemer

The default expiry value is chosen based on what Chromium uses: https://source.chromium.org/chromium/chromium/src/+/master:services/network/public/cpp/cors/preflight_result.cc;l=27;drc=529117e5ed802c91a5cf192a72b4097d27fcb928?originalUrl=https:%2F%2Fcs.chromium.org%2F Differential Revision: https://phabricator.services.mozilla.com/D59032 --HG-- extra : moz-landing-system : lando
2020-01-14 17:13:11 +00:00 · 2020-01-14 17:13:11 +00:00 · b2cfa59626
--- a/dom/security/test/cors/test_CrossSiteXHR_cache.html
+++ b/dom/security/test/cors/test_CrossSiteXHR_cache.html
@ -63,7 +63,7 @@ function* runTest() {
             headers: { "y-my-header": "hello" },
             allowHeaders: "y-my-header",
           },
-           { pass: 0,
+           { pass: 1,
             method: "GET",
             headers: { "y-my-header": "hello" },
           },
@ -73,6 +73,21 @@ function* runTest() {
             allowHeaders: "y-my-header,x-my-header",
             cacheTime: 3600,
           },
+           { pass: 0,
+             method: "GET",
+             headers: { "x-my-header": "myValue",
+                        "y-my-header": "second" },
+           },
+           { newTest: "*******" },
+           { pass: 1,
+             method: "GET",
+             headers: { "y-my-header": "hello" },
+             allowHeaders: "y-my-header,x-my-header",
+           },
+           { pass: 1,
+             method: "GET",
+             headers: { "y-my-header": "hello" },
+           },
           { pass: 1,
             method: "GET",
             headers: { "x-my-header": "myValue",
@ -224,7 +239,7 @@ function* runTest() {
             method: "PATCH",
             allowMethods: "PATCH",
           },
-           { pass: 0,
+           { pass: 1,
             method: "PATCH",
           },
           { pass: 1,
@ -242,6 +257,15 @@ function* runTest() {
             method: "PUT",
           },
           { newTest: "*******" },
+           { pass: 1,
+             method: "PATCH",
+             allowMethods: "PATCH",
+             cacheTime: 3600,
+           },
+           { pass: 1,
+             method: "PATCH",
+           },
+           { newTest: "*******" },
           { pass: 0,
             method: "DELETE",
           },
--- a/netwerk/protocol/http/nsCORSListenerProxy.cpp
+++ b/netwerk/protocol/http/nsCORSListenerProxy.cpp
@ -50,6 +50,8 @@ using namespace mozilla;
 using namespace mozilla::net;

 #define PREFLIGHT_CACHE_SIZE 100
+// 5 seconds is chosen to be compatible with Chromium.
+#define PREFLIGHT_DEFAULT_EXPIRY_SECONDS 5

 static void LogBlockedRequest(nsIRequest* aRequest, const char* aProperty,
                              const char16_t* aParam, uint32_t aBlockingReason,
@ -1112,27 +1114,27 @@ void nsCORSPreflightListener::AddResultToCache(nsIRequest* aRequest) {

  // The "Access-Control-Max-Age" header should return an age in seconds.
  nsAutoCString headerVal;
+  uint32_t age = 0;
  Unused << http->GetResponseHeader(
      NS_LITERAL_CSTRING("Access-Control-Max-Age"), headerVal);
  if (headerVal.IsEmpty()) {
-    return;
-  }
-
-  // Sanitize the string. We only allow 'delta-seconds' as specified by
-  // http://dev.w3.org/2006/waf/access-control (digits 0-9 with no leading or
-  // trailing non-whitespace characters).
-  uint32_t age = 0;
-  nsACString::const_char_iterator iter, end;
-  headerVal.BeginReading(iter);
-  headerVal.EndReading(end);
-  while (iter != end) {
-    if (*iter < '0' || *iter > '9') {
-      return;
+    age = PREFLIGHT_DEFAULT_EXPIRY_SECONDS;
+  } else {
+    // Sanitize the string. We only allow 'delta-seconds' as specified by
+    // http://dev.w3.org/2006/waf/access-control (digits 0-9 with no leading or
+    // trailing non-whitespace characters).
+    nsACString::const_char_iterator iter, end;
+    headerVal.BeginReading(iter);
+    headerVal.EndReading(end);
+    while (iter != end) {
+      if (*iter < '0' || *iter > '9') {
+        return;
+      }
+      age = age * 10 + (*iter - '0');
+      // Cap at 24 hours. This also avoids overflow
+      age = std::min(age, 86400U);
+      ++iter;
    }
-    age = age * 10 + (*iter - '0');
-    // Cap at 24 hours. This also avoids overflow
-    age = std::min(age, 86400U);
-    ++iter;
  }

  if (!age || !EnsurePreflightCache()) {
--- a/testing/web-platform/meta/cors/preflight-cache.htm.ini
+++ b/testing/web-platform/meta/cors/preflight-cache.htm.ini
@ -1,4 +0,0 @@
-[preflight-cache.htm]
-  [preflight for x-print should be cached]
-    expected: FAIL
-
--- a/testing/web-platform/tests/cors/preflight-cache.htm
+++ b/testing/web-platform/tests/cors/preflight-cache.htm
@ -60,6 +60,15 @@ test(function() {
 },
 'preflight for x-print should be cached')

+test(function() {
+    var time = new Date().getTime()
+    var client = new XMLHttpRequest()
+
+    var id = did_preflight(true, client, {extra:'max_age='})
+    did_preflight(false, client, {extra:'max_age=', token: id})
+},
+'age = blank, should be cached')
+
 test(function() {
    var time = new Date().getTime()
    var client = new XMLHttpRequest()