CORS: Allow particular Range header values without a preflight
Categories
(Core :: DOM: Networking, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox117 | --- | fixed |
People
(Reporter: jaffathecake, Assigned: dlrobertson)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [necko-triaged])
Attachments
(1 file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Expected results:
Spec discussion: https://github.com/whatwg/fetch/issues/1310
Spec PR: https://github.com/whatwg/fetch/pull/1312
Tests PR: https://github.com/web-platform-tests/wpt/pull/31058
Range
was added as a safe-listed header as long as the value is in a particular format, which aligns with formats the browser uses when requesting media and resuming downloads.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 2•3 years ago
|
||
The following information seems to have sped the development of a webkit patch along, so I will re-post it here:
CORS-safelisted request-header:
https://fetch.spec.whatwg.org/#cors-safelisted-request-header
Allowed particular Range header values (simple range header value):
https://fetch.spec.whatwg.org/#simple-range-header-value
Examples:
Range: bytes=0-255
Range: bytes=255-
Hopefully it will make a patch for Gecko more likely.
Comment 3•3 years ago
|
||
Dev docs PR https://github.com/mdn/content/pull/14657
Comment 4•3 years ago
|
||
Dev docs published: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
Range (only with a simple range header value; e.g., bytes=256- or bytes=127-255)
Note: Firefox has not implemented Range as a safelisted request-header yet. See bug 1733981.
Shipped in Chromium: https://chromestatus.com/feature/5652396366626816
In trunk for WebKit: https://git.webkit.org/?p=WebKit.git;a=commit;h=2b039d303782f915fd730720f281f081aab45549
Comment 5•3 years ago
|
||
Edit: Correct link to WebKit: https://trac.webkit.org/changeset/292293/webkit
Updated•2 years ago
|
Assignee | ||
Comment 6•1 year ago
|
||
The Range header was added as a safe-listed header as long as the value
is in a particular format. Update IsCORSSafelistedRequestHeader
implementations to account for this.
Updated•1 year ago
|
Comment 9•1 year ago
|
||
Backed out for causing range related wpt unexpected passes.
Failure logs:
- https://treeherder.mozilla.org/logviewer?job_id=421986327&repo=autoland
- https://treeherder.mozilla.org/logviewer?job_id=421987579&repo=autoland
- https://treeherder.mozilla.org/logviewer?job_id=421986408&repo=autoland
Backout link: https://hg.mozilla.org/integration/autoland/rev/2f3294fbb670
Assignee | ||
Comment 10•1 year ago
|
||
Ah, missed a test that should be passing now.
Comment 11•1 year ago
|
||
Comment 12•1 year ago
|
||
Backed out for causing failures on general.any.serviceworker.html
Assignee | ||
Comment 13•1 year ago
|
||
Looks like I was too aggressive in my wpt metadata pruning... The test is failing due to bug 1465074. I'll look to see how easy it would be to solve that bug as well... Otherwise I'll just reduce the wpt test metadata pruning
Comment 14•1 year ago
|
||
Comment 15•1 year ago
|
||
bugherder |
Comment 16•1 year ago
|
||
Other MDN docs changes can be tracked in the following GitHub issue: https://github.com/mdn/content/issues/28281
Updated•1 year ago
|
Description
•