Diff
Modified: tags/Safari-604.1.1/LayoutTests/ChangeLog (210067 => 210068)
--- tags/Safari-604.1.1/LayoutTests/ChangeLog 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/LayoutTests/ChangeLog 2016-12-21 19:06:35 UTC (rev 210068)
@@ -1,5 +1,9 @@
2016-12-21 Babak Shafiei <[email protected]>
+ Roll out r209261.
+
+2016-12-21 Babak Shafiei <[email protected]>
+
Roll out r209510.
2016-12-20 Myles C. Maxfield <[email protected]>
Deleted: tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt (210067 => 210068)
--- tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt 2016-12-21 19:06:35 UTC (rev 210068)
@@ -1,21 +0,0 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept-Language is not allowed by Access-Control-Allow-Headers.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Content-Language is not allowed by Access-Control-Allow-Headers.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Content-Language is not allowed by Access-Control-Allow-Headers.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
-PASS Accept header with normal value SHOULD NOT cause a preflight
-PASS Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight
-PASS Accept-Language header with normal value SHOULD NOT cause a preflight
-PASS Accept-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight
-PASS Content-Language header with normal value SHOULD NOT cause a preflight
-PASS Content-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight
-PASS Accept header with abnormal value SHOULD cause a preflight
-PASS Accept-Language header with abnormal value SHOULD cause a preflight
-PASS Content-Language header with abnormal value SHOULD cause a preflight
-PASS Accept header with normal value, Accept-Language header with normal value, and Content-Language header with abnormal value SHOULD cause a preflight
-PASS Accept header with normal value and then another Accept header with abnormal value SHOULD cause a preflight
-PASS Accept header with abnormal value and explicitly allowed headers SHOULD be allowed
-PASS Content-Language header with abnormal value and explicitly allowed headers SHOULD be allowed
-PASS Accept header with normal value, Accept-Language header with normal value, Content-Language header with abnormal value, and explicitly allowed headers SHOULD be allowed
-PASS Accept header with normal value, then another Accept header with abnormal value, and explicitly allowed headers SHOULD be allowed
-
Deleted: tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html (210067 => 210068)
--- tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html 2016-12-21 19:06:35 UTC (rev 210068)
@@ -1,160 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
- <meta charset="UTF-8">
- <title>Non-Standard Safelisted Headers SHOULD Trigger a Preflight</title>
- <script src=""
-</head>
-<body>
-<!-- https://fetch.spec.whatwg.org/#cors-safelisted-request-header -->
-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
- }
-
- var xhr;
- var url = '';
-
- function createReadyStateHandler (description, testNumber) {
- return function handler (e) {
- if (xhr.readyState === XMLHttpRequest.DONE) {
- testPassed(description);
- nextStep(testNumber);
- }
- }
- }
-
- function createOnErrorHandler (description, testNumber) {
- return function handler (e) {
- e.preventDefault();
- testPassed(description);
- nextStep(testNumber);
- }
- }
-
- var abnormalSimpleCorsHeaderValue = "() { :;};"
- var allAllowedNonAlphanumericCharactersForAcceptHeader = " *./;="
- var allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader = " *-.;="
- var testCases = [
- // Positive test cases with normal headers
- {
- headersToAdd: [{ name : "Accept", value: "text/*" }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Accept header with normal value SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: allAllowedNonAlphanumericCharactersForAcceptHeader }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept-Language", value: "en" }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Accept-Language header with normal value SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept-Language", value: allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Accept-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Content-Language", value: "en" }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Content-Language header with normal value SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Content-Language", value: allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Content-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight"
- }
- // Negative test cases with abnormal headers
- ,{
- headersToAdd: [{ name : "Accept", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Accept header with abnormal value SHOULD cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Accept-Language header with abnormal value SHOULD cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Content-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Content-Language header with abnormal value SHOULD cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: "text/*" }, { name : "Accept-Language", value: "en" }, { name : "Content-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Accept header with normal value, Accept-Language header with normal value, and Content-Language header with abnormal value SHOULD cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: "text/*" }, { name : "Accept", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Accept header with normal value and then another Accept header with abnormal value SHOULD cause a preflight"
- }
- // Positive test cases with abnormal headers
- ,{
- headersToAdd: [{ name : "Accept", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: true,
- shouldCausePreflight: true,
- description: "Accept header with abnormal value and explicitly allowed headers SHOULD be allowed"
- }
- ,{
- headersToAdd: [{ name : "Content-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: true,
- shouldCausePreflight: true,
- description: "Content-Language header with abnormal value and explicitly allowed headers SHOULD be allowed"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: "text/*" }, { name : "Accept-Language", value: "en" }, { name : "Content-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: true,
- shouldCausePreflight: true,
- description: "Accept header with normal value, Accept-Language header with normal value, Content-Language header with abnormal value, and explicitly allowed headers SHOULD be allowed"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: "text/*" }, { name : "Accept", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: true,
- shouldCausePreflight: true,
- description: "Accept header with normal value, then another Accept header with abnormal value, and explicitly allowed headers SHOULD be allowed"
- }
- ];
-
- function runTestCase(testNumber) {
- var testCase = testCases[testNumber];
- xhr = new XMLHttpRequest();
- xhr.open('GET', url + (testCase.explicitlyAllowHeaders ? "/?explicitlyAllowHeaders=true" : ""), true);
- for (var i = 0; i < testCase.headersToAdd.length; i++) {
- xhr.setRequestHeader(testCase.headersToAdd[i].name, testCase.headersToAdd[i].value);
- }
- if (testCase.shouldCausePreflight && !testCase.explicitlyAllowHeaders)
- xhr._onerror_ = createOnErrorHandler(testCase.description, testNumber);
- else
- xhr._onreadystatechange_ = createReadyStateHandler(testCase.description, testNumber);
- xhr.send();
- }
-
- function nextStep (testNumber) {
- if (testNumber === (testCases.length - 1)) {
- if (window.testRunner)
- testRunner.notifyDone();
- } else
- runTestCase(testNumber + 1);
- }
-
- runTestCase(0);
-</script>
-</body>
-</html>
\ No newline at end of file
Deleted: tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php (210067 => 210068)
--- tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php 2016-12-21 19:06:35 UTC (rev 210068)
@@ -1,8 +0,0 @@
-<?php
-header('Access-Control-Allow-Origin: http://127.0.0.1:8000');
-
-if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' && isset($_GET['explicitlyAllowHeaders'])) {
- header('Access-Control-Allow-Methods: GET, OPTIONS');
- header('Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language');
-}
-?>
\ No newline at end of file
Modified: tags/Safari-604.1.1/Source/WebCore/ChangeLog (210067 => 210068)
--- tags/Safari-604.1.1/Source/WebCore/ChangeLog 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/ChangeLog 2016-12-21 19:06:35 UTC (rev 210068)
@@ -1,5 +1,9 @@
2016-12-21 Babak Shafiei <[email protected]>
+ Roll out r209261.
+
+2016-12-21 Babak Shafiei <[email protected]>
+
Roll out r209510.
2016-12-20 Myles C. Maxfield <[email protected]>
Modified: tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.cpp (210067 => 210068)
--- tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-12-21 19:06:35 UTC (rev 210068)
@@ -45,6 +45,25 @@
return method == "GET" || method == "HEAD" || method == "POST";
}
+bool isOnAccessControlSimpleRequestHeaderWhitelist(HTTPHeaderName name, const String& value)
+{
+ switch (name) {
+ case HTTPHeaderName::Accept:
+ case HTTPHeaderName::AcceptLanguage:
+ case HTTPHeaderName::ContentLanguage:
+ return true;
+ case HTTPHeaderName::ContentType: {
+ // Preflight is required for MIME types that can not be sent via form submission.
+ String mimeType = extractMIMETypeFromMediaType(value);
+ return equalIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded")
+ || equalIgnoringASCIICase(mimeType, "multipart/form-data")
+ || equalIgnoringASCIICase(mimeType, "text/plain");
+ }
+ default:
+ return false;
+ }
+}
+
bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap)
{
if (!isOnAccessControlSimpleRequestMethodWhitelist(method))
@@ -51,7 +70,7 @@
return false;
for (const auto& header : headerMap) {
- if (!header.keyAsHTTPHeaderName || !isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value))
+ if (!header.keyAsHTTPHeaderName || !isOnAccessControlSimpleRequestHeaderWhitelist(header.keyAsHTTPHeaderName.value(), header.value))
return false;
}
Modified: tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.h (210067 => 210068)
--- tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.h 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.h 2016-12-21 19:06:35 UTC (rev 210068)
@@ -40,6 +40,7 @@
bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&);
bool isOnAccessControlSimpleRequestMethodWhitelist(const String&);
+bool isOnAccessControlSimpleRequestHeaderWhitelist(HTTPHeaderName, const String& value);
bool isOnAccessControlResponseHeaderWhitelist(const String&);
void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin&, StoredCredentials);
Modified: tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp (210067 => 210068)
--- tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp 2016-12-21 19:06:35 UTC (rev 210068)
@@ -29,7 +29,6 @@
#include "CrossOriginAccessControl.h"
#include "HTTPHeaderNames.h"
-#include "HTTPParsers.h"
#include "ResourceResponse.h"
#include <wtf/MainThread.h>
#include <wtf/NeverDestroyed.h>
@@ -128,7 +127,7 @@
bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, String& errorDescription) const
{
for (const auto& header : requestHeaders) {
- if (header.keyAsHTTPHeaderName && isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value))
+ if (header.keyAsHTTPHeaderName && isOnAccessControlSimpleRequestHeaderWhitelist(header.keyAsHTTPHeaderName.value(), header.value))
continue;
if (!m_headers.contains(header.key)) {
errorDescription = "Request header field " + header.key + " is not allowed by Access-Control-Allow-Headers.";
Modified: tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.cpp (210067 => 210068)
--- tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.cpp 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.cpp 2016-12-21 19:06:35 UTC (rev 210068)
@@ -34,7 +34,6 @@
#include "HTTPParsers.h"
#include "HTTPHeaderNames.h"
-#include "Language.h"
#include <wtf/DateMath.h>
#include <wtf/NeverDestroyed.h>
#include <wtf/text/CString.h>
@@ -127,36 +126,6 @@
return true;
}
-// See RFC 7231, Section 5.3.2
-bool isValidAcceptHeaderValue(const String& value)
-{
- for (unsigned i = 0; i < value.length(); ++i) {
- UChar c = value[i];
- if (isASCIIAlphanumeric(c) || c == ' ' || c == '*' || c == '.' || c == '/' || c == ';' || c == '=')
- continue;
- return false;
- }
-
- return true;
-}
-
-// See RFC 7231, Section 5.3.5 and 3.1.3.2
-bool isValidLanguageHeaderValue(const String& value)
-{
- for (unsigned i = 0; i < value.length(); ++i) {
- UChar c = value[i];
- if (isASCIIAlphanumeric(c) || c == ' ' || c == '*' || c == '-' || c == '.' || c == ';' || c == '=')
- continue;
- return false;
- }
-
- // FIXME: Validate further by splitting into language tags and optional quality
- // values (q=) and then check each language tag.
- // Language tags https://tools.ietf.org/html/rfc7231#section-3.1.3.1
- // Language tag syntax https://tools.ietf.org/html/bcp47#section-2.1
- return true;
-}
-
// See RFC 7230, Section 3.2.6.
bool isValidHTTPToken(const String& value)
{
@@ -763,7 +732,7 @@
}
}
-// Implementation of https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
+// Implememtnation of https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
bool isForbiddenHeaderName(const String& name)
{
HTTPHeaderName headerName;
@@ -807,7 +776,18 @@
HTTPHeaderName headerName;
if (!findHTTPHeaderName(name, headerName))
return false;
- return isCrossOriginSafeRequestHeader(headerName, value);
+ switch (headerName) {
+ case HTTPHeaderName::Accept:
+ case HTTPHeaderName::AcceptLanguage:
+ case HTTPHeaderName::ContentLanguage:
+ return true;
+ case HTTPHeaderName::ContentType: {
+ String mimeType = extractMIMETypeFromMediaType(value);
+ return equalLettersIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded") || equalLettersIgnoringASCIICase(mimeType, "multipart/form-data") || equalLettersIgnoringASCIICase(mimeType, "text/plain");
+ }
+ default:
+ return false;
+ }
}
bool isCrossOriginSafeHeader(HTTPHeaderName name, const HTTPHeaderSet& accessControlExposeHeaderSet)
@@ -844,12 +824,10 @@
{
switch (name) {
case HTTPHeaderName::Accept:
- return isValidAcceptHeaderValue(value);
case HTTPHeaderName::AcceptLanguage:
case HTTPHeaderName::ContentLanguage:
- return isValidLanguageHeaderValue(value);
+ return true;
case HTTPHeaderName::ContentType: {
- // Preflight is required for MIME types that can not be sent via form submission.
String mimeType = extractMIMETypeFromMediaType(value);
return equalLettersIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded") || equalLettersIgnoringASCIICase(mimeType, "multipart/form-data") || equalLettersIgnoringASCIICase(mimeType, "text/plain");
}
Modified: tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.h (210067 => 210068)
--- tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.h 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.h 2016-12-21 19:06:35 UTC (rev 210068)
@@ -69,8 +69,6 @@
bool isValidReasonPhrase(const String&);
bool isValidHTTPHeaderValue(const String&);
-bool isValidAcceptHeaderValue(const String&);
-bool isValidLanguageHeaderValue(const String&);
bool isValidHTTPToken(const String&);
bool parseHTTPRefresh(const String& refresh, double& delay, String& url);
std::optional<std::chrono::system_clock::time_point> parseHTTPDate(const String&);
