Bug 1162411 - Fix Request CORS bug. r=bz
☠☠ backed out by a8521f7c90a2 ☠ ☠
authorNikhil Marathe <nsm.nikhil@gmail.com>
Thu, 07 May 2015 15:39:13 -0700
changeset 274399 8635863a78c0f4715266dc0753eb30a8b7bb8611
parent 274398 5df6a8eccc53b8d27582a43ba3098e41442e89ff
child 274400 60ab1ea8f15816644cdbb3a22bd7e883e737f9d6
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs1162411
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1162411 - Fix Request CORS bug. r=bz
dom/fetch/Request.cpp
dom/tests/mochitest/fetch/test_request.js
--- a/dom/fetch/Request.cpp
+++ b/dom/fetch/Request.cpp
@@ -258,16 +258,20 @@ Request::Constructor(const GlobalObject&
     }
     request->ClearCreatedByFetchEvent();
     headers = h->GetInternalHeaders();
   } else {
     headers = new InternalHeaders(*requestHeaders);
   }
 
   requestHeaders->Clear();
+  // From "Let r be a new Request object associated with request and a new
+  // Headers object whose guard is "request"."
+  requestHeaders->SetGuard(HeadersGuardEnum::Request, aRv);
+  MOZ_ASSERT(!aRv.Failed());
 
   if (request->Mode() == RequestMode::No_cors) {
     if (!request->HasSimpleMethod()) {
       nsAutoCString method;
       request->GetMethod(method);
       NS_ConvertUTF8toUTF16 label(method);
       aRv.ThrowTypeError(MSG_INVALID_REQUEST_METHOD, &label);
       return nullptr;
--- a/dom/tests/mochitest/fetch/test_request.js
+++ b/dom/tests/mochitest/fetch/test_request.js
@@ -18,29 +18,29 @@ function testDefaultCtor() {
   is(req.mode, "cors", "Request mode string input is cors");
   is(req.credentials, "omit", "Default Request credentials is omit");
   is(req.cache, "default", "Default Request cache is default");
 }
 
 function testClone() {
   var orig = new Request("./cloned_request.txt", {
               method: 'POST',
-              headers: { "Content-Length": 5 },
+              headers: { "Sample-Header": "5" },
               body: "Sample body",
               mode: "same-origin",
               credentials: "same-origin",
               cache: "no-store",
             });
   var clone = orig.clone();
   ok(clone.method === "POST", "Request method is POST");
   ok(clone.headers instanceof Headers, "Request should have non-null Headers object");
 
-  is(clone.headers.get('content-length'), "5", "Response content-length should be 5.");
-  orig.headers.set('content-length', 6);
-  is(clone.headers.get('content-length'), "5", "Request content-length should be 5.");
+  is(clone.headers.get('sample-header'), "5", "Request sample-header should be 5.");
+  orig.headers.set('sample-header', 6);
+  is(clone.headers.get('sample-header'), "5", "Cloned Request sample-header should continue to be 5.");
 
   ok(clone.url === (new URL("./cloned_request.txt", self.location.href)).href,
        "URL should be resolved with entry settings object's API base URL");
   ok(clone.referrer === "about:client", "Default referrer is `client` which serializes to about:client.");
   ok(clone.mode === "same-origin", "Request mode is same-origin");
   ok(clone.credentials === "same-origin", "Default credentials is same-origin");
   ok(clone.cache === "no-store", "Default cache is no-store");
 
@@ -119,16 +119,30 @@ function testBug1109574() {
   var r1 = new Request("");
   is(r1.bodyUsed, false, "Initial value of bodyUsed should be false");
   var r2 = new Request(r1);
   is(r1.bodyUsed, false, "Request with null body should not have bodyUsed set");
   // This should succeed.
   var r3 = new Request(r1);
 }
 
+function testHeaderGuard() {
+  var headers = {
+    "Cookie": "Custom cookie",
+    "Non-Simple-Header": "value",
+  };
+  var r1 = new Request("", { headers: headers });
+  ok(!r1.headers.has("Cookie"), "Default Request header should have guard request and prevent setting forbidden header.");
+  ok(r1.headers.has("Non-Simple-Header"), "Default Request header should have guard request and allow setting non-simple header.");
+
+  var r2 = new Request("", { mode: "no-cors", headers: headers });
+  ok(!r2.headers.has("Cookie"), "no-cors Request header should have guard request-no-cors and prevent setting non-simple header.");
+  ok(!r2.headers.has("Non-Simple-Header"), "no-cors Request header should have guard request-no-cors and prevent setting non-simple header.");
+}
+
 function testMethod() {
   // These get normalized.
   var allowed = ["delete", "get", "head", "options", "post", "put" ];
   for (var i = 0; i < allowed.length; ++i) {
     try {
       var r = new Request("", { method: allowed[i] });
       ok(true, "Method " + allowed[i] + " should be allowed");
       is(r.method, allowed[i].toUpperCase(),
@@ -429,16 +443,17 @@ function testModeCorsPreflightEnumValue(
 }
 
 function runTest() {
   testDefaultCtor();
   testSimpleUrlParse();
   testUrlFragment();
   testMethod();
   testBug1109574();
+  testHeaderGuard();
   testModeCorsPreflightEnumValue();
 
   return Promise.resolve()
     .then(testBodyCreation)
     .then(testBodyUsed)
     .then(testBodyExtraction)
     .then(testFormDataBodyCreation)
     .then(testFormDataBodyExtraction)