Bug 1309358 - P2: Add wildcard to Access-Control-Allow-Method and Access-Control-Allow-Headers r=baku,mayhemer

Differential Revision: https://phabricator.services.mozilla.com/D36990

--HG--
extra : moz-landing-system : lando

netwerk/protocol/http/nsCORSListenerProxy.cpp

@@ -1348,7 +1348,12 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved(
                         parentHttpChannel);
       return NS_ERROR_DOM_BAD_URI;
     }
-    foundMethod |= mPreflightMethod.Equals(method);
+
+    if (method.EqualsLiteral("*") && !mWithCredentials) {
+      foundMethod = true;
+    } else {
+      foundMethod |= mPreflightMethod.Equals(method);
+    }
   }
   if (!foundMethod) {
     LogBlockedRequest(aRequest, "CORSMethodNotFound", nullptr,
@@ -1363,6 +1368,7 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved(
       NS_LITERAL_CSTRING("Access-Control-Allow-Headers"), headerVal);
   nsTArray<nsCString> headers;
   nsCCharSeparatedTokenizer headerTokens(headerVal, ',');
+  bool allowAllHeaders = false;
   while (headerTokens.hasMoreTokens()) {
     const nsDependentCSubstring& header = headerTokens.nextToken();
     if (header.IsEmpty()) {
@@ -1375,17 +1381,24 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved(
                         parentHttpChannel);
       return NS_ERROR_DOM_BAD_URI;
     }
-    headers.AppendElement(header);
+    if (header.EqualsLiteral("*") && !mWithCredentials) {
+      allowAllHeaders = true;
+    } else {
+      headers.AppendElement(header);
+    }
   }
-  for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) {
-    const auto& comparator = nsCaseInsensitiveCStringArrayComparator();
-    if (!headers.Contains(mPreflightHeaders[i], comparator)) {
-      LogBlockedRequest(
-          aRequest, "CORSMissingAllowHeaderFromPreflight",
-          NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get(),
-          nsILoadInfo::BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT,
-          parentHttpChannel);
-      return NS_ERROR_DOM_BAD_URI;
+
+  if (!allowAllHeaders) {
+    for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) {
+      const auto& comparator = nsCaseInsensitiveCStringArrayComparator();
+      if (!headers.Contains(mPreflightHeaders[i], comparator)) {
+        LogBlockedRequest(
+            aRequest, "CORSMissingAllowHeaderFromPreflight",
+            NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get(),
+            nsILoadInfo::BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT,
+            parentHttpChannel);
+        return NS_ERROR_DOM_BAD_URI;
+      }
     }
   }
 

testing/web-platform/meta/fetch/api/cors/cors-preflight-star.any.js.ini

@@ -1,21 +0,0 @@
-[cors-preflight-star.any.worker.html]
-  [CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test)]
-    expected: FAIL
-
-  [CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *)]
-    expected: FAIL
-
-  [CORS that succeeds with credentials: true; method: PUT (allowed: put); header:  (allowed: *)]
-    expected: FAIL
-
-
-[cors-preflight-star.any.html]
-  [CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test)]
-    expected: FAIL
-
-  [CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *)]
-    expected: FAIL
-
-  [CORS that succeeds with credentials: true; method: PUT (allowed: put); header:  (allowed: *)]
-    expected: FAIL
-

testing/web-platform/meta/service-workers/cache-storage/serviceworker/cache-match.https.html.ini

@@ -1,7 +1,4 @@
 [cache-match.https.html]
-  [cors-exposed header should be stored correctly.]
-    expected: FAIL
-
   [Cache.match does not support cacheName option]
     expected: FAIL
 

testing/web-platform/meta/service-workers/cache-storage/window/cache-match.https.html.ini

@@ -1,7 +1,4 @@
 [cache-match.https.html]
-  [cors-exposed header should be stored correctly.]
-    expected: FAIL
-
   [Cache.match does not support cacheName option]
     expected: FAIL
 

testing/web-platform/meta/service-workers/cache-storage/worker/cache-match.https.html.ini

@@ -1,7 +1,4 @@
 [cache-match.https.html]
-  [cors-exposed header should be stored correctly.]
-    expected: FAIL
-
   [Cache.match does not support cacheName option]
     expected: FAIL
 

testing/web-platform/meta/service-workers/service-worker/fetch-cors-exposed-header-names.https.html.ini

@@ -1,4 +0,0 @@
-[fetch-cors-exposed-header-names.https.html]
-  [CORS-exposed header names for a response from sw]
-    expected: FAIL
-