Implement further CORS restrictions
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Mar 2019 08:13:26 +0000 (08:13 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Mar 2019 08:13:26 +0000 (08:13 +0000)
commitcf3a5ae0cd0e60726bf03aa4a618f52f2380c513
treecf89487234df601d8715ded6dbac7bf7a4b9c939
parent43f901cccbd037fbe035e3645611ed686a734d5d
Implement further CORS restrictions
https://bugs.webkit.org/show_bug.cgi?id=188644

Patch by Rob Buis <rbuis@igalia.com> on 2019-03-12
Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Update improved test results.

* web-platform-tests/fetch/api/cors/cors-preflight-not-cors-safelisted.any-expected.txt:
* web-platform-tests/fetch/api/cors/cors-preflight-not-cors-safelisted.any.worker-expected.txt:
* web-platform-tests/fetch/api/headers/headers-no-cors.window-expected.txt:

Source/WebCore:

Verify that header value length is not greater than 128 [1]. Also implement
Step 5 of [2] to append values to existing header value when calling
Headers.append.

Tests: fetch/api/cors/cors-preflight-not-cors-safelisted.any.html
       fetch/api/cors/cors-preflight-not-cors-safelisted.any.worker.html
       fetch/api/headers/headers-no-cors.window.html

[1] https://fetch.spec.whatwg.org/#cors-safelisted-request-header
[2] https://fetch.spec.whatwg.org/#concept-headers-append

* Modules/fetch/FetchHeaders.cpp:
(WebCore::canWriteHeader):
(WebCore::appendToHeaderMap):
(WebCore::FetchHeaders::remove):
(WebCore::FetchHeaders::set):
(WebCore::FetchHeaders::filterAndFill):
* platform/network/HTTPParsers.cpp:
(WebCore::isCrossOriginSafeRequestHeader): verify that header length is not greater than 128

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242786 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-not-cors-safelisted.any-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-not-cors-safelisted.any.worker-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/headers/headers-no-cors.window-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/Modules/fetch/FetchHeaders.cpp
Source/WebCore/platform/network/HTTPParsers.cpp