<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[210068] tags/Safari-604.1.1</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/210068">210068</a></dd>
<dt>Author</dt> <dd>bshafiei@apple.com</dd>
<dt>Date</dt> <dd>2016-12-21 11:06:35 -0800 (Wed, 21 Dec 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Roll out <a href="http://trac.webkit.org/projects/webkit/changeset/209261">r209261</a>. rdar://problem/29774539</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#tagsSafari60411LayoutTestsChangeLog">tags/Safari-604.1.1/LayoutTests/ChangeLog</a></li>
<li><a href="#tagsSafari60411SourceWebCoreChangeLog">tags/Safari-604.1.1/Source/WebCore/ChangeLog</a></li>
<li><a href="#tagsSafari60411SourceWebCoreloaderCrossOriginAccessControlcpp">tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.cpp</a></li>
<li><a href="#tagsSafari60411SourceWebCoreloaderCrossOriginAccessControlh">tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.h</a></li>
<li><a href="#tagsSafari60411SourceWebCoreloaderCrossOriginPreflightResultCachecpp">tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp</a></li>
<li><a href="#tagsSafari60411SourceWebCoreplatformnetworkHTTPParserscpp">tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.cpp</a></li>
<li><a href="#tagsSafari60411SourceWebCoreplatformnetworkHTTPParsersh">tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.h</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#tagsSafari60411LayoutTestshttptestsxmlhttprequestcorsnonstandardsafelistedheadersshouldtriggerpreflightexpectedtxt">tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt</a></li>
<li><a href="#tagsSafari60411LayoutTestshttptestsxmlhttprequestcorsnonstandardsafelistedheadersshouldtriggerpreflighthtml">tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html</a></li>
<li><a href="#tagsSafari60411LayoutTestshttptestsxmlhttprequestresourcescorspreflightsafelistedheadersresponderphp">tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="tagsSafari60411LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: tags/Safari-604.1.1/LayoutTests/ChangeLog (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/LayoutTests/ChangeLog 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/LayoutTests/ChangeLog 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -1,5 +1,9 @@
</span><span class="cx"> 2016-12-21 Babak Shafiei <bshafiei@apple.com>
</span><span class="cx">
</span><ins>+ Roll out r209261.
+
+2016-12-21 Babak Shafiei <bshafiei@apple.com>
+
</ins><span class="cx"> Roll out r209510.
</span><span class="cx">
</span><span class="cx"> 2016-12-20 Myles C. Maxfield <mmaxfield@apple.com>
</span></span></pre></div>
<a id="tagsSafari60411LayoutTestshttptestsxmlhttprequestcorsnonstandardsafelistedheadersshouldtriggerpreflightexpectedtxt"></a>
<div class="delfile"><h4>Deleted: tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -1,21 +0,0 @@
</span><del>-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept-Language is not allowed by Access-Control-Allow-Headers.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Content-Language is not allowed by Access-Control-Allow-Headers.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Content-Language is not allowed by Access-Control-Allow-Headers.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
-PASS Accept header with normal value SHOULD NOT cause a preflight
-PASS Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight
-PASS Accept-Language header with normal value SHOULD NOT cause a preflight
-PASS Accept-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight
-PASS Content-Language header with normal value SHOULD NOT cause a preflight
-PASS Content-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight
-PASS Accept header with abnormal value SHOULD cause a preflight
-PASS Accept-Language header with abnormal value SHOULD cause a preflight
-PASS Content-Language header with abnormal value SHOULD cause a preflight
-PASS Accept header with normal value, Accept-Language header with normal value, and Content-Language header with abnormal value SHOULD cause a preflight
-PASS Accept header with normal value and then another Accept header with abnormal value SHOULD cause a preflight
-PASS Accept header with abnormal value and explicitly allowed headers SHOULD be allowed
-PASS Content-Language header with abnormal value and explicitly allowed headers SHOULD be allowed
-PASS Accept header with normal value, Accept-Language header with normal value, Content-Language header with abnormal value, and explicitly allowed headers SHOULD be allowed
-PASS Accept header with normal value, then another Accept header with abnormal value, and explicitly allowed headers SHOULD be allowed
-
</del></span></pre></div>
<a id="tagsSafari60411LayoutTestshttptestsxmlhttprequestcorsnonstandardsafelistedheadersshouldtriggerpreflighthtml"></a>
<div class="delfile"><h4>Deleted: tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -1,160 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html lang="en">
-<head>
- <meta charset="UTF-8">
- <title>Non-Standard Safelisted Headers SHOULD Trigger a Preflight</title>
- <script src="../resources/js-test-pre.js"></script>
-</head>
-<body>
-<!-- https://fetch.spec.whatwg.org/#cors-safelisted-request-header -->
-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
- }
-
- var xhr;
- var url = 'http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php';
-
- function createReadyStateHandler (description, testNumber) {
- return function handler (e) {
- if (xhr.readyState === XMLHttpRequest.DONE) {
- testPassed(description);
- nextStep(testNumber);
- }
- }
- }
-
- function createOnErrorHandler (description, testNumber) {
- return function handler (e) {
- e.preventDefault();
- testPassed(description);
- nextStep(testNumber);
- }
- }
-
- var abnormalSimpleCorsHeaderValue = "() { :;};"
- var allAllowedNonAlphanumericCharactersForAcceptHeader = " *./;="
- var allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader = " *-.;="
- var testCases = [
- // Positive test cases with normal headers
- {
- headersToAdd: [{ name : "Accept", value: "text/*" }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Accept header with normal value SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: allAllowedNonAlphanumericCharactersForAcceptHeader }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept-Language", value: "en" }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Accept-Language header with normal value SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept-Language", value: allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Accept-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Content-Language", value: "en" }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Content-Language header with normal value SHOULD NOT cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Content-Language", value: allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: false,
- description: "Content-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight"
- }
- // Negative test cases with abnormal headers
- ,{
- headersToAdd: [{ name : "Accept", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Accept header with abnormal value SHOULD cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Accept-Language header with abnormal value SHOULD cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Content-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Content-Language header with abnormal value SHOULD cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: "text/*" }, { name : "Accept-Language", value: "en" }, { name : "Content-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Accept header with normal value, Accept-Language header with normal value, and Content-Language header with abnormal value SHOULD cause a preflight"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: "text/*" }, { name : "Accept", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: false,
- shouldCausePreflight: true,
- description: "Accept header with normal value and then another Accept header with abnormal value SHOULD cause a preflight"
- }
- // Positive test cases with abnormal headers
- ,{
- headersToAdd: [{ name : "Accept", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: true,
- shouldCausePreflight: true,
- description: "Accept header with abnormal value and explicitly allowed headers SHOULD be allowed"
- }
- ,{
- headersToAdd: [{ name : "Content-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: true,
- shouldCausePreflight: true,
- description: "Content-Language header with abnormal value and explicitly allowed headers SHOULD be allowed"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: "text/*" }, { name : "Accept-Language", value: "en" }, { name : "Content-Language", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: true,
- shouldCausePreflight: true,
- description: "Accept header with normal value, Accept-Language header with normal value, Content-Language header with abnormal value, and explicitly allowed headers SHOULD be allowed"
- }
- ,{
- headersToAdd: [{ name : "Accept", value: "text/*" }, { name : "Accept", value: abnormalSimpleCorsHeaderValue }],
- explicitlyAllowHeaders: true,
- shouldCausePreflight: true,
- description: "Accept header with normal value, then another Accept header with abnormal value, and explicitly allowed headers SHOULD be allowed"
- }
- ];
-
- function runTestCase(testNumber) {
- var testCase = testCases[testNumber];
- xhr = new XMLHttpRequest();
- xhr.open('GET', url + (testCase.explicitlyAllowHeaders ? "/?explicitlyAllowHeaders=true" : ""), true);
- for (var i = 0; i < testCase.headersToAdd.length; i++) {
- xhr.setRequestHeader(testCase.headersToAdd[i].name, testCase.headersToAdd[i].value);
- }
- if (testCase.shouldCausePreflight && !testCase.explicitlyAllowHeaders)
- xhr.onerror = createOnErrorHandler(testCase.description, testNumber);
- else
- xhr.onreadystatechange = createReadyStateHandler(testCase.description, testNumber);
- xhr.send();
- }
-
- function nextStep (testNumber) {
- if (testNumber === (testCases.length - 1)) {
- if (window.testRunner)
- testRunner.notifyDone();
- } else
- runTestCase(testNumber + 1);
- }
-
- runTestCase(0);
-</script>
-</body>
-</html>
</del><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="tagsSafari60411LayoutTestshttptestsxmlhttprequestresourcescorspreflightsafelistedheadersresponderphp"></a>
<div class="delfile"><h4>Deleted: tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/LayoutTests/http/tests/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -1,8 +0,0 @@
</span><del>-<?php
-header('Access-Control-Allow-Origin: http://127.0.0.1:8000');
-
-if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' && isset($_GET['explicitlyAllowHeaders'])) {
- header('Access-Control-Allow-Methods: GET, OPTIONS');
- header('Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language');
-}
-?>
</del><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="tagsSafari60411SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: tags/Safari-604.1.1/Source/WebCore/ChangeLog (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/Source/WebCore/ChangeLog 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/ChangeLog 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -1,5 +1,9 @@
</span><span class="cx"> 2016-12-21 Babak Shafiei <bshafiei@apple.com>
</span><span class="cx">
</span><ins>+ Roll out r209261.
+
+2016-12-21 Babak Shafiei <bshafiei@apple.com>
+
</ins><span class="cx"> Roll out r209510.
</span><span class="cx">
</span><span class="cx"> 2016-12-20 Myles C. Maxfield <mmaxfield@apple.com>
</span></span></pre></div>
<a id="tagsSafari60411SourceWebCoreloaderCrossOriginAccessControlcpp"></a>
<div class="modfile"><h4>Modified: tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.cpp (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -45,6 +45,25 @@
</span><span class="cx"> return method == "GET" || method == "HEAD" || method == "POST";
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool isOnAccessControlSimpleRequestHeaderWhitelist(HTTPHeaderName name, const String& value)
+{
+ switch (name) {
+ case HTTPHeaderName::Accept:
+ case HTTPHeaderName::AcceptLanguage:
+ case HTTPHeaderName::ContentLanguage:
+ return true;
+ case HTTPHeaderName::ContentType: {
+ // Preflight is required for MIME types that can not be sent via form submission.
+ String mimeType = extractMIMETypeFromMediaType(value);
+ return equalIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded")
+ || equalIgnoringASCIICase(mimeType, "multipart/form-data")
+ || equalIgnoringASCIICase(mimeType, "text/plain");
+ }
+ default:
+ return false;
+ }
+}
+
</ins><span class="cx"> bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap)
</span><span class="cx"> {
</span><span class="cx"> if (!isOnAccessControlSimpleRequestMethodWhitelist(method))
</span><span class="lines">@@ -51,7 +70,7 @@
</span><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> for (const auto& header : headerMap) {
</span><del>- if (!header.keyAsHTTPHeaderName || !isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value))
</del><ins>+ if (!header.keyAsHTTPHeaderName || !isOnAccessControlSimpleRequestHeaderWhitelist(header.keyAsHTTPHeaderName.value(), header.value))
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="tagsSafari60411SourceWebCoreloaderCrossOriginAccessControlh"></a>
<div class="modfile"><h4>Modified: tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.h (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.h 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginAccessControl.h 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -40,6 +40,7 @@
</span><span class="cx">
</span><span class="cx"> bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&);
</span><span class="cx"> bool isOnAccessControlSimpleRequestMethodWhitelist(const String&);
</span><ins>+bool isOnAccessControlSimpleRequestHeaderWhitelist(HTTPHeaderName, const String& value);
</ins><span class="cx"> bool isOnAccessControlResponseHeaderWhitelist(const String&);
</span><span class="cx">
</span><span class="cx"> void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin&, StoredCredentials);
</span></span></pre></div>
<a id="tagsSafari60411SourceWebCoreloaderCrossOriginPreflightResultCachecpp"></a>
<div class="modfile"><h4>Modified: tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx">
</span><span class="cx"> #include "CrossOriginAccessControl.h"
</span><span class="cx"> #include "HTTPHeaderNames.h"
</span><del>-#include "HTTPParsers.h"
</del><span class="cx"> #include "ResourceResponse.h"
</span><span class="cx"> #include <wtf/MainThread.h>
</span><span class="cx"> #include <wtf/NeverDestroyed.h>
</span><span class="lines">@@ -128,7 +127,7 @@
</span><span class="cx"> bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, String& errorDescription) const
</span><span class="cx"> {
</span><span class="cx"> for (const auto& header : requestHeaders) {
</span><del>- if (header.keyAsHTTPHeaderName && isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value))
</del><ins>+ if (header.keyAsHTTPHeaderName && isOnAccessControlSimpleRequestHeaderWhitelist(header.keyAsHTTPHeaderName.value(), header.value))
</ins><span class="cx"> continue;
</span><span class="cx"> if (!m_headers.contains(header.key)) {
</span><span class="cx"> errorDescription = "Request header field " + header.key + " is not allowed by Access-Control-Allow-Headers.";
</span></span></pre></div>
<a id="tagsSafari60411SourceWebCoreplatformnetworkHTTPParserscpp"></a>
<div class="modfile"><h4>Modified: tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.cpp (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.cpp 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.cpp 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -34,7 +34,6 @@
</span><span class="cx"> #include "HTTPParsers.h"
</span><span class="cx">
</span><span class="cx"> #include "HTTPHeaderNames.h"
</span><del>-#include "Language.h"
</del><span class="cx"> #include <wtf/DateMath.h>
</span><span class="cx"> #include <wtf/NeverDestroyed.h>
</span><span class="cx"> #include <wtf/text/CString.h>
</span><span class="lines">@@ -127,36 +126,6 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-// See RFC 7231, Section 5.3.2
-bool isValidAcceptHeaderValue(const String& value)
-{
- for (unsigned i = 0; i < value.length(); ++i) {
- UChar c = value[i];
- if (isASCIIAlphanumeric(c) || c == ' ' || c == '*' || c == '.' || c == '/' || c == ';' || c == '=')
- continue;
- return false;
- }
-
- return true;
-}
-
-// See RFC 7231, Section 5.3.5 and 3.1.3.2
-bool isValidLanguageHeaderValue(const String& value)
-{
- for (unsigned i = 0; i < value.length(); ++i) {
- UChar c = value[i];
- if (isASCIIAlphanumeric(c) || c == ' ' || c == '*' || c == '-' || c == '.' || c == ';' || c == '=')
- continue;
- return false;
- }
-
- // FIXME: Validate further by splitting into language tags and optional quality
- // values (q=) and then check each language tag.
- // Language tags https://tools.ietf.org/html/rfc7231#section-3.1.3.1
- // Language tag syntax https://tools.ietf.org/html/bcp47#section-2.1
- return true;
-}
-
</del><span class="cx"> // See RFC 7230, Section 3.2.6.
</span><span class="cx"> bool isValidHTTPToken(const String& value)
</span><span class="cx"> {
</span><span class="lines">@@ -763,7 +732,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-// Implementation of https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
</del><ins>+// Implememtnation of https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
</ins><span class="cx"> bool isForbiddenHeaderName(const String& name)
</span><span class="cx"> {
</span><span class="cx"> HTTPHeaderName headerName;
</span><span class="lines">@@ -807,7 +776,18 @@
</span><span class="cx"> HTTPHeaderName headerName;
</span><span class="cx"> if (!findHTTPHeaderName(name, headerName))
</span><span class="cx"> return false;
</span><del>- return isCrossOriginSafeRequestHeader(headerName, value);
</del><ins>+ switch (headerName) {
+ case HTTPHeaderName::Accept:
+ case HTTPHeaderName::AcceptLanguage:
+ case HTTPHeaderName::ContentLanguage:
+ return true;
+ case HTTPHeaderName::ContentType: {
+ String mimeType = extractMIMETypeFromMediaType(value);
+ return equalLettersIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded") || equalLettersIgnoringASCIICase(mimeType, "multipart/form-data") || equalLettersIgnoringASCIICase(mimeType, "text/plain");
+ }
+ default:
+ return false;
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool isCrossOriginSafeHeader(HTTPHeaderName name, const HTTPHeaderSet& accessControlExposeHeaderSet)
</span><span class="lines">@@ -844,12 +824,10 @@
</span><span class="cx"> {
</span><span class="cx"> switch (name) {
</span><span class="cx"> case HTTPHeaderName::Accept:
</span><del>- return isValidAcceptHeaderValue(value);
</del><span class="cx"> case HTTPHeaderName::AcceptLanguage:
</span><span class="cx"> case HTTPHeaderName::ContentLanguage:
</span><del>- return isValidLanguageHeaderValue(value);
</del><ins>+ return true;
</ins><span class="cx"> case HTTPHeaderName::ContentType: {
</span><del>- // Preflight is required for MIME types that can not be sent via form submission.
</del><span class="cx"> String mimeType = extractMIMETypeFromMediaType(value);
</span><span class="cx"> return equalLettersIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded") || equalLettersIgnoringASCIICase(mimeType, "multipart/form-data") || equalLettersIgnoringASCIICase(mimeType, "text/plain");
</span><span class="cx"> }
</span></span></pre></div>
<a id="tagsSafari60411SourceWebCoreplatformnetworkHTTPParsersh"></a>
<div class="modfile"><h4>Modified: tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.h (210067 => 210068)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.h 2016-12-21 19:05:00 UTC (rev 210067)
+++ tags/Safari-604.1.1/Source/WebCore/platform/network/HTTPParsers.h 2016-12-21 19:06:35 UTC (rev 210068)
</span><span class="lines">@@ -69,8 +69,6 @@
</span><span class="cx">
</span><span class="cx"> bool isValidReasonPhrase(const String&);
</span><span class="cx"> bool isValidHTTPHeaderValue(const String&);
</span><del>-bool isValidAcceptHeaderValue(const String&);
-bool isValidLanguageHeaderValue(const String&);
</del><span class="cx"> bool isValidHTTPToken(const String&);
</span><span class="cx"> bool parseHTTPRefresh(const String& refresh, double& delay, String& url);
</span><span class="cx"> std::optional<std::chrono::system_clock::time_point> parseHTTPDate(const String&);
</span></span></pre>
</div>
</div>
</body>
</html>