diff options
| author | Moonchild <moonchild@palemoon.org> | 2022-11-06 13:22:44 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2022-11-06 13:22:44 +0000 |
| commit | 1c04b522d3cca7c5097f260159bd0cad7d55ccd8 (patch) | |
| tree | d1c59ca1627cdff7aeb718e09bc29f62a6ec8fc9 /netwerk | |
| parent | 84d3226fb1dba87cfa7e16a0277628b407cf683d (diff) | |
| download | uxp-1c04b522d3cca7c5097f260159bd0cad7d55ccd8.tar.gz | |
Issue #2024 - Part 2: Add wildcard to Access-Control-Allow-{Method|Headers}
For requests without credentials, add wildcard to Access-Control-Allow-Headers
and Access-Control-Allow-Method.
Resolves #2024
Diffstat (limited to 'netwerk')
| -rw-r--r-- | netwerk/protocol/http/nsCORSListenerProxy.cpp | 33 |
1 files changed, 23 insertions, 10 deletions
diff --git a/netwerk/protocol/http/nsCORSListenerProxy.cpp b/netwerk/protocol/http/nsCORSListenerProxy.cpp index c897297ce7..499c03094b 100644 --- a/netwerk/protocol/http/nsCORSListenerProxy.cpp +++ b/netwerk/protocol/http/nsCORSListenerProxy.cpp @@ -1169,7 +1169,8 @@ nsCORSPreflightListener::AddResultToCache(nsIRequest *aRequest) } uint32_t i; for (i = 0; i < entry->mMethods.Length(); ++i) { - if (entry->mMethods[i].token.Equals(method)) { + if ((entry->mMethods[i].token.EqualsLiteral("*") && !mWithCredentials) || + entry->mMethods[i].token.Equals(method)) { entry->mMethods[i].expirationTime = expirationTime; break; } @@ -1199,7 +1200,8 @@ nsCORSPreflightListener::AddResultToCache(nsIRequest *aRequest) } uint32_t i; for (i = 0; i < entry->mHeaders.Length(); ++i) { - if (entry->mHeaders[i].token.Equals(header)) { + if ((entry->mHeaders[i].token.EqualsLiteral("*") && !mWithCredentials) || + entry->mHeaders[i].token.Equals(header)) { entry->mHeaders[i].expirationTime = expirationTime; break; } @@ -1325,7 +1327,11 @@ nsCORSPreflightListener::CheckPreflightRequestApproved(nsIRequest* aRequest) NS_ConvertUTF8toUTF16(method).get()); return NS_ERROR_DOM_BAD_URI; } - foundMethod |= mPreflightMethod.Equals(method); + if (method.EqualsLiteral("*") && !mWithCredentials) { + foundMethod = true; + } else { + foundMethod |= mPreflightMethod.Equals(method); + } } if (!foundMethod) { LogBlockedRequest(aRequest, "CORSMethodNotFound", nullptr); @@ -1338,6 +1344,7 @@ nsCORSPreflightListener::CheckPreflightRequestApproved(nsIRequest* aRequest) headerVal); nsTArray<nsCString> headers; nsCCharSeparatedTokenizer headerTokens(headerVal, ','); + bool allowAllHeaders = false; while(headerTokens.hasMoreTokens()) { const nsDependentCSubstring& header = headerTokens.nextToken(); if (header.IsEmpty()) { @@ -1348,14 +1355,20 @@ nsCORSPreflightListener::CheckPreflightRequestApproved(nsIRequest* aRequest) NS_ConvertUTF8toUTF16(header).get()); return NS_ERROR_DOM_BAD_URI; } - headers.AppendElement(header); + if (header.EqualsLiteral("*") && !mWithCredentials) { + allowAllHeaders = true; + } else { + headers.AppendElement(header); + } } - for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) { - if (!headers.Contains(mPreflightHeaders[i], - nsCaseInsensitiveCStringArrayComparator())) { - LogBlockedRequest(aRequest, "CORSMissingAllowHeaderFromPreflight", - NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get()); - return NS_ERROR_DOM_BAD_URI; + if (!allowAllHeaders) { + for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) { + if (!headers.Contains(mPreflightHeaders[i], + nsCaseInsensitiveCStringArrayComparator())) { + LogBlockedRequest(aRequest, "CORSMissingAllowHeaderFromPreflight", + NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get()); + return NS_ERROR_DOM_BAD_URI; + } } } |