diff --git a/netwerk/protocol/http/nsCORSListenerProxy.cpp b/netwerk/protocol/http/nsCORSListenerProxy.cpp index 30517fd8c5f9..79a72a46976d 100644 --- a/netwerk/protocol/http/nsCORSListenerProxy.cpp +++ b/netwerk/protocol/http/nsCORSListenerProxy.cpp @@ -1348,7 +1348,12 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved( parentHttpChannel); return NS_ERROR_DOM_BAD_URI; } - foundMethod |= mPreflightMethod.Equals(method); + + if (method.EqualsLiteral("*") && !mWithCredentials) { + foundMethod = true; + } else { + foundMethod |= mPreflightMethod.Equals(method); + } } if (!foundMethod) { LogBlockedRequest(aRequest, "CORSMethodNotFound", nullptr, @@ -1363,6 +1368,7 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved( NS_LITERAL_CSTRING("Access-Control-Allow-Headers"), headerVal); nsTArray headers; nsCCharSeparatedTokenizer headerTokens(headerVal, ','); + bool allowAllHeaders = false; while (headerTokens.hasMoreTokens()) { const nsDependentCSubstring& header = headerTokens.nextToken(); if (header.IsEmpty()) { @@ -1375,17 +1381,24 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved( parentHttpChannel); return NS_ERROR_DOM_BAD_URI; } - headers.AppendElement(header); + if (header.EqualsLiteral("*") && !mWithCredentials) { + allowAllHeaders = true; + } else { + headers.AppendElement(header); + } } - for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) { - const auto& comparator = nsCaseInsensitiveCStringArrayComparator(); - if (!headers.Contains(mPreflightHeaders[i], comparator)) { - LogBlockedRequest( - aRequest, "CORSMissingAllowHeaderFromPreflight", - NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get(), - nsILoadInfo::BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT, - parentHttpChannel); - return NS_ERROR_DOM_BAD_URI; + + if (!allowAllHeaders) { + for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) { + const auto& comparator = nsCaseInsensitiveCStringArrayComparator(); + if (!headers.Contains(mPreflightHeaders[i], comparator)) { + LogBlockedRequest( + aRequest, "CORSMissingAllowHeaderFromPreflight", + NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get(), + nsILoadInfo::BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT, + parentHttpChannel); + return NS_ERROR_DOM_BAD_URI; + } } } diff --git a/testing/web-platform/meta/fetch/api/cors/cors-preflight-star.any.js.ini b/testing/web-platform/meta/fetch/api/cors/cors-preflight-star.any.js.ini deleted file mode 100644 index 014be6cb0220..000000000000 --- a/testing/web-platform/meta/fetch/api/cors/cors-preflight-star.any.js.ini +++ /dev/null @@ -1,21 +0,0 @@ -[cors-preflight-star.any.worker.html] - [CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test)] - expected: FAIL - - [CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *)] - expected: FAIL - - [CORS that succeeds with credentials: true; method: PUT (allowed: put); header: (allowed: *)] - expected: FAIL - - -[cors-preflight-star.any.html] - [CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test)] - expected: FAIL - - [CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *)] - expected: FAIL - - [CORS that succeeds with credentials: true; method: PUT (allowed: put); header: (allowed: *)] - expected: FAIL - diff --git a/testing/web-platform/meta/service-workers/cache-storage/serviceworker/cache-match.https.html.ini b/testing/web-platform/meta/service-workers/cache-storage/serviceworker/cache-match.https.html.ini index de662aabe9b9..9e7414d3dd03 100644 --- a/testing/web-platform/meta/service-workers/cache-storage/serviceworker/cache-match.https.html.ini +++ b/testing/web-platform/meta/service-workers/cache-storage/serviceworker/cache-match.https.html.ini @@ -1,7 +1,4 @@ [cache-match.https.html] - [cors-exposed header should be stored correctly.] - expected: FAIL - [Cache.match does not support cacheName option] expected: FAIL diff --git a/testing/web-platform/meta/service-workers/cache-storage/window/cache-match.https.html.ini b/testing/web-platform/meta/service-workers/cache-storage/window/cache-match.https.html.ini index de662aabe9b9..9e7414d3dd03 100644 --- a/testing/web-platform/meta/service-workers/cache-storage/window/cache-match.https.html.ini +++ b/testing/web-platform/meta/service-workers/cache-storage/window/cache-match.https.html.ini @@ -1,7 +1,4 @@ [cache-match.https.html] - [cors-exposed header should be stored correctly.] - expected: FAIL - [Cache.match does not support cacheName option] expected: FAIL diff --git a/testing/web-platform/meta/service-workers/cache-storage/worker/cache-match.https.html.ini b/testing/web-platform/meta/service-workers/cache-storage/worker/cache-match.https.html.ini index de662aabe9b9..9e7414d3dd03 100644 --- a/testing/web-platform/meta/service-workers/cache-storage/worker/cache-match.https.html.ini +++ b/testing/web-platform/meta/service-workers/cache-storage/worker/cache-match.https.html.ini @@ -1,7 +1,4 @@ [cache-match.https.html] - [cors-exposed header should be stored correctly.] - expected: FAIL - [Cache.match does not support cacheName option] expected: FAIL diff --git a/testing/web-platform/meta/service-workers/service-worker/fetch-cors-exposed-header-names.https.html.ini b/testing/web-platform/meta/service-workers/service-worker/fetch-cors-exposed-header-names.https.html.ini deleted file mode 100644 index b3cc2652a12f..000000000000 --- a/testing/web-platform/meta/service-workers/service-worker/fetch-cors-exposed-header-names.https.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[fetch-cors-exposed-header-names.https.html] - [CORS-exposed header names for a response from sw] - expected: FAIL -