Closed Bug 1733981 Opened 3 years ago Closed 1 year ago

CORS: Allow particular Range header values without a preflight

Categories

(Core :: DOM: Networking, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
117 Branch
Tracking Status
firefox117 --- fixed

People

(Reporter: jaffathecake, Assigned: dlrobertson)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, Whiteboard: [necko-triaged])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36

Expected results:

Spec discussion: https://github.com/whatwg/fetch/issues/1310
Spec PR: https://github.com/whatwg/fetch/pull/1312
Tests PR: https://github.com/web-platform-tests/wpt/pull/31058

Range was added as a safe-listed header as long as the value is in a particular format, which aligns with formats the browser uses when requesting media and resuming downloads.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: dev-doc-needed
Severity: -- → N/A
Priority: -- → P3
Whiteboard: [necko-triaged]
Blocks: fetch

The following information seems to have sped the development of a webkit patch along, so I will re-post it here:

CORS-safelisted request-header:
https://fetch.spec.whatwg.org/#cors-safelisted-request-header

Allowed particular Range header values (simple range header value):
https://fetch.spec.whatwg.org/#simple-range-header-value

Examples:

Range: bytes=0-255

Range: bytes=255-


Hopefully it will make a patch for Gecko more likely.

See Also: → 1465074

Dev docs published: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

Range (only with a simple range header value; e.g., bytes=256- or bytes=127-255)
Note: Firefox has not implemented Range as a safelisted request-header yet. See bug 1733981.

Shipped in Chromium: https://chromestatus.com/feature/5652396366626816
In trunk for WebKit: https://git.webkit.org/?p=WebKit.git;a=commit;h=2b039d303782f915fd730720f281f081aab45549

Depends on: CVE-2022-45403
See Also: → 1784880

The Range header was added as a safe-listed header as long as the value
is in a particular format. Update IsCORSSafelistedRequestHeader
implementations to account for this.

Assignee: nobody → drobertson
Status: NEW → ASSIGNED
Pushed by drobertson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ee68eebc7bfd Allow single range header values without preflight. r=twisniewski,necko-reviewers,kershaw
Backout by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2f3294fbb670 Backed out changeset ee68eebc7bfd for causing range related wpt unexpected passes. CLOSED TREE

Ah, missed a test that should be passing now.

Flags: needinfo?(drobertson)
Pushed by drobertson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/87f35bfe2247 Allow single range header values without preflight. r=twisniewski,necko-reviewers,kershaw

Backed out for causing failures on general.any.serviceworker.html

Backout link

Push with failures

Failure log

Flags: needinfo?(drobertson)

Looks like I was too aggressive in my wpt metadata pruning... The test is failing due to bug 1465074. I'll look to see how easy it would be to solve that bug as well... Otherwise I'll just reduce the wpt test metadata pruning

Flags: needinfo?(drobertson)
Pushed by drobertson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cd0d5fa97119 Allow single range header values without preflight. r=twisniewski,necko-reviewers,kershaw
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch

Other MDN docs changes can be tracked in the following GitHub issue: https://github.com/mdn/content/issues/28281

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: