Safari sends empty "Access-Control-Request-Headers" in preflight request
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 22 Mar 2017 17:18:27 +0000 (17:18 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 22 Mar 2017 17:18:27 +0000 (17:18 +0000)
https://bugs.webkit.org/show_bug.cgi?id=169851

Patch by Youenn Fablet <youenn@apple.com> on 2017-03-22
Reviewed by Chris Dumez.

LayoutTests/imported/w3c:

* web-platform-tests/fetch/api/cors/cors-preflight-expected.txt:
* web-platform-tests/fetch/api/cors/cors-preflight.js:

Source/WebCore:

Covered by updated test.

* loader/CrossOriginAccessControl.cpp:
(WebCore::createAccessControlPreflightRequest): Not adding "Access-Control-Request-Headers" to
request header if value is empty.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@214254 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-worker-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight.js
Source/WebCore/ChangeLog
Source/WebCore/loader/CrossOriginAccessControl.cpp

index 3f75bab..ce8e1d6 100644 (file)
@@ -1,5 +1,15 @@
 2017-03-22  Youenn Fablet  <youenn@apple.com>
 
+        Safari sends empty "Access-Control-Request-Headers" in preflight request
+        https://bugs.webkit.org/show_bug.cgi?id=169851
+
+        Reviewed by Chris Dumez.
+
+        * web-platform-tests/fetch/api/cors/cors-preflight-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-preflight.js:
+
+2017-03-22  Youenn Fablet  <youenn@apple.com>
+
         XMLHttpRequest: getAllResponseHeaders() should lowercase header names before sorting
         https://bugs.webkit.org/show_bug.cgi?id=169286
 
index fa38e98..a27e27b 100644 (file)
@@ -13,4 +13,5 @@ PASS CORS [GET] [several headers], server allows
 PASS CORS [GET] [several headers], server refuses 
 PASS CORS [PUT] [several headers], server allows 
 PASS CORS [PUT] [several headers], server refuses 
+PASS CORS [PUT] [only safe headers], server allows 
 
index fa38e98..a27e27b 100644 (file)
@@ -13,4 +13,5 @@ PASS CORS [GET] [several headers], server allows
 PASS CORS [GET] [several headers], server refuses 
 PASS CORS [PUT] [several headers], server allows 
 PASS CORS [PUT] [several headers], server refuses 
+PASS CORS [PUT] [only safe headers], server allows 
 
index e95a93f..55b5240 100644 (file)
@@ -99,4 +99,6 @@ corsPreflight("CORS [GET] [several headers], server refuses", corsUrl, "GET", fa
 corsPreflight("CORS [PUT] [several headers], server allows", corsUrl, "PUT", true, headers, safeHeaders);
 corsPreflight("CORS [PUT] [several headers], server refuses", corsUrl, "PUT", false, headers, safeHeaders);
 
+corsPreflight("CORS [PUT] [only safe headers], server allows", corsUrl, "PUT", true, null, safeHeaders);
+
 done();
index b6d3adc..5ff6ec2 100644 (file)
@@ -1,5 +1,18 @@
 2017-03-22  Youenn Fablet  <youenn@apple.com>
 
+        Safari sends empty "Access-Control-Request-Headers" in preflight request
+        https://bugs.webkit.org/show_bug.cgi?id=169851
+
+        Reviewed by Chris Dumez.
+
+        Covered by updated test.
+
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::createAccessControlPreflightRequest): Not adding "Access-Control-Request-Headers" to
+        request header if value is empty.
+
+2017-03-22  Youenn Fablet  <youenn@apple.com>
+
         XMLHttpRequest: getAllResponseHeaders() should lowercase header names before sorting
         https://bugs.webkit.org/show_bug.cgi?id=169286
 
index bb15cd2..8ed24d5 100644 (file)
@@ -120,7 +120,8 @@ ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& reque
 
             headerBuffer.append(headerField);
         }
-        preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestHeaders, headerBuffer.toString());
+        if (!headerBuffer.isEmpty())
+            preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestHeaders, headerBuffer.toString());
     }
 
     return preflightRequest;