mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-08 19:04:45 +00:00
Bug 1687364 - Authorization header can't be wildcarded for Access-Control-Allow-Headers r=necko-reviewers,dragana
Differential Revision: https://phabricator.services.mozilla.com/D102932
This commit is contained in:
parent
efc1960325
commit
5c2914628b
@ -413,6 +413,57 @@ function* runTest() {
|
||||
headers: { "x-my-header": "myValue" },
|
||||
allowHeaders: "x-my-header, $_%",
|
||||
},
|
||||
// Test cases for "Access-Control-Allow-Headers" containing "*".
|
||||
{ pass: 1,
|
||||
method: "POST",
|
||||
body: "hi there",
|
||||
headers: { "x-my-header": "myValue" },
|
||||
allowHeaders: "*",
|
||||
},
|
||||
{ pass: 1,
|
||||
method: "POST",
|
||||
body: "hi there",
|
||||
headers: { "x-my-header": "myValue",
|
||||
"Authorization": "12345" },
|
||||
allowHeaders: "*, Authorization",
|
||||
},
|
||||
{ pass: 1,
|
||||
method: "POST",
|
||||
body: "hi there",
|
||||
headers: { "x-my-header": "myValue",
|
||||
"Authorization": "12345" },
|
||||
allowHeaders: "Authorization, *",
|
||||
},
|
||||
{ pass: 0,
|
||||
method: "POST",
|
||||
body: "hi there",
|
||||
headers: { "x-my-header": "myValue",
|
||||
"Authorization": "12345" },
|
||||
allowHeaders: "*",
|
||||
},
|
||||
{ pass: 0,
|
||||
method: "POST",
|
||||
body: "hi there",
|
||||
headers: { "x-my-header": "myValue",
|
||||
"Authorization": "12345" },
|
||||
allowHeaders: "x-my-header",
|
||||
},
|
||||
{ pass: 1,
|
||||
method: "POST",
|
||||
body: "hi there",
|
||||
headers: { "*": "myValue" },
|
||||
allowHeaders: "*",
|
||||
withCred: 1,
|
||||
allowCred: 1,
|
||||
},
|
||||
{ pass: 0,
|
||||
method: "POST",
|
||||
body: "hi there",
|
||||
headers: { "x-my-header": "myValue" },
|
||||
allowHeaders: "*",
|
||||
withCred: 1,
|
||||
allowCred: 1,
|
||||
},
|
||||
|
||||
// Other methods
|
||||
{ pass: 1,
|
||||
@ -640,6 +691,7 @@ function* runTest() {
|
||||
uploadProgress: test.uploadProgress,
|
||||
body: test.body,
|
||||
responseHeaders: test.responseHeaders,
|
||||
withCred: test.withCred ? test.withCred : 0,
|
||||
};
|
||||
|
||||
if (test.pass) {
|
||||
@ -658,6 +710,9 @@ function* runTest() {
|
||||
if (test.noAllowPreflight)
|
||||
req.url += "&noAllowPreflight";
|
||||
|
||||
if (test.allowCred)
|
||||
req.url += "&allowCred";
|
||||
|
||||
if (test.pass && "headers" in test) {
|
||||
function isUnsafeHeader(name) {
|
||||
lName = name.toLowerCase();
|
||||
|
@ -1321,7 +1321,7 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved(
|
||||
Unused << http->GetResponseHeader("Access-Control-Allow-Headers"_ns,
|
||||
headerVal);
|
||||
nsTArray<nsCString> headers;
|
||||
bool allowAllHeaders = false;
|
||||
bool wildcard = false;
|
||||
for (const nsACString& header :
|
||||
nsCCharSeparatedTokenizer(headerVal, ',').ToRange()) {
|
||||
if (header.IsEmpty()) {
|
||||
@ -1334,24 +1334,27 @@ nsresult nsCORSPreflightListener::CheckPreflightRequestApproved(
|
||||
parentHttpChannel);
|
||||
return NS_ERROR_DOM_BAD_URI;
|
||||
}
|
||||
|
||||
if (header.EqualsLiteral("*") && !mWithCredentials) {
|
||||
allowAllHeaders = true;
|
||||
wildcard = true;
|
||||
} else {
|
||||
headers.AppendElement(header);
|
||||
}
|
||||
}
|
||||
|
||||
if (!allowAllHeaders) {
|
||||
for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) {
|
||||
const auto& comparator = nsCaseInsensitiveCStringArrayComparator();
|
||||
if (!headers.Contains(mPreflightHeaders[i], comparator)) {
|
||||
LogBlockedRequest(
|
||||
aRequest, "CORSMissingAllowHeaderFromPreflight2",
|
||||
NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get(),
|
||||
nsILoadInfo::BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT,
|
||||
parentHttpChannel);
|
||||
return NS_ERROR_DOM_BAD_URI;
|
||||
}
|
||||
for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) {
|
||||
if (wildcard &&
|
||||
!mPreflightHeaders[i].LowerCaseEqualsASCII("authorization")) {
|
||||
continue;
|
||||
}
|
||||
const auto& comparator = nsCaseInsensitiveCStringArrayComparator();
|
||||
if (!headers.Contains(mPreflightHeaders[i], comparator)) {
|
||||
LogBlockedRequest(
|
||||
aRequest, "CORSMissingAllowHeaderFromPreflight2",
|
||||
NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get(),
|
||||
nsILoadInfo::BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT,
|
||||
parentHttpChannel);
|
||||
return NS_ERROR_DOM_BAD_URI;
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user