Bug 1508661 - origin header should not be set for GET and HEAD requests, r=asuth
authorAndrea Marchesini <amarchesini@mozilla.com>
Wed, 21 Nov 2018 11:33:47 +0100
changeset 506735 99c2d9a02b38a9dd89219629301e62853f58f171
parent 506734 be4f0249121820f15551de0d21e6e3626526f997
child 506736 fa95b1364b4ae517bd92171143a21e402faae610
push id1905
push userffxbld-merge
push dateMon, 21 Jan 2019 12:33:13 +0000
treeherdermozilla-release@c2fca1944d8c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersasuth
bugs1508661
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1508661 - origin header should not be set for GET and HEAD requests, r=asuth
dom/fetch/FetchDriver.cpp
dom/fetch/InternalRequest.cpp
dom/fetch/InternalRequest.h
testing/web-platform/meta/cookies/samesite/fetch.html.ini
testing/web-platform/meta/fetch/api/basic/request-headers.any.js.ini
testing/web-platform/meta/fetch/api/cors/cors-cookies-redirect.any.js.ini
testing/web-platform/meta/fetch/api/cors/cors-redirect.any.js.ini
testing/web-platform/meta/fetch/api/redirect/redirect-origin.any.js.ini
--- a/dom/fetch/FetchDriver.cpp
+++ b/dom/fetch/FetchDriver.cpp
@@ -1472,17 +1472,19 @@ FetchDriver::SetRequestHeaders(nsIHttpCh
   if (!hasAccept) {
     DebugOnly<nsresult> rv =
       aChannel->SetRequestHeader(NS_LITERAL_CSTRING("accept"),
                                  NS_LITERAL_CSTRING("*/*"),
                                  false /* merge */);
     MOZ_ASSERT(NS_SUCCEEDED(rv));
   }
 
-  if (mRequest->ForceOriginHeader()) {
+  nsAutoCString method;
+  mRequest->GetMethod(method);
+  if (!method.EqualsLiteral("GET") && !method.EqualsLiteral("HEAD")) {
     nsAutoString origin;
     if (NS_SUCCEEDED(nsContentUtils::GetUTFOrigin(mPrincipal, origin))) {
       DebugOnly<nsresult> rv =
         aChannel->SetRequestHeader(nsDependentCString(net::nsHttp::Origin),
                                    NS_ConvertUTF16toUTF8(origin),
                                    false /* merge */);
       MOZ_ASSERT(NS_SUCCEEDED(rv));
     }
--- a/dom/fetch/InternalRequest.cpp
+++ b/dom/fetch/InternalRequest.cpp
@@ -26,17 +26,16 @@ InternalRequest::GetRequestConstructorCo
   MOZ_RELEASE_ASSERT(!mURLList.IsEmpty(), "Internal Request's urlList should not be empty when copied from constructor.");
   RefPtr<InternalRequest> copy = new InternalRequest(mURLList.LastElement(),
                                                      mFragment);
   copy->SetMethod(mMethod);
   copy->mHeaders = new InternalHeaders(*mHeaders);
   copy->SetUnsafeRequest();
   copy->mBodyStream = mBodyStream;
   copy->mBodyLength = mBodyLength;
-  copy->mForceOriginHeader = true;
   // The "client" is not stored in our implementation. Fetch API users should
   // use the appropriate window/document/principal and other Gecko security
   // mechanisms as appropriate.
   copy->mSameOriginDataURL = true;
   copy->mPreserveContentCodings = true;
   copy->mReferrer = mReferrer;
   copy->mReferrerPolicy = mReferrerPolicy;
   copy->mEnvironmentReferrerPolicy = mEnvironmentReferrerPolicy;
@@ -90,17 +89,16 @@ InternalRequest::InternalRequest(const n
   , mEnvironmentReferrerPolicy(net::RP_Unset)
   , mMode(RequestMode::No_cors)
   , mCredentialsMode(RequestCredentials::Omit)
   , mResponseTainting(LoadTainting::Basic)
   , mCacheMode(RequestCache::Default)
   , mRedirectMode(RequestRedirect::Follow)
   , mMozErrors(false)
   , mAuthenticationFlag(false)
-  , mForceOriginHeader(false)
   , mPreserveContentCodings(false)
     // FIXME(nsm): This should be false by default, but will lead to the
     // algorithm never loading data: URLs right now. See Bug 1018872 about
     // how certain contexts will override it to set it to true. Fetch
     // specification does not handle this yet.
   , mSameOriginDataURL(true)
   , mSkipServiceWorker(false)
   , mSynchronous(false)
@@ -132,17 +130,16 @@ InternalRequest::InternalRequest(const n
   , mMode(aMode)
   , mCredentialsMode(aRequestCredentials)
   , mResponseTainting(LoadTainting::Basic)
   , mCacheMode(aCacheMode)
   , mRedirectMode(aRequestRedirect)
   , mIntegrity(aIntegrity)
   , mMozErrors(false)
   , mAuthenticationFlag(false)
-  , mForceOriginHeader(false)
   , mPreserveContentCodings(false)
     // FIXME See the above comment in the default constructor.
   , mSameOriginDataURL(true)
   , mSkipServiceWorker(false)
   , mSynchronous(false)
   , mUnsafeRequest(false)
   , mUseURLCredentials(false)
 {
@@ -162,17 +159,16 @@ InternalRequest::InternalRequest(const I
   , mCredentialsMode(aOther.mCredentialsMode)
   , mResponseTainting(aOther.mResponseTainting)
   , mCacheMode(aOther.mCacheMode)
   , mRedirectMode(aOther.mRedirectMode)
   , mIntegrity(aOther.mIntegrity)
   , mMozErrors(aOther.mMozErrors)
   , mFragment(aOther.mFragment)
   , mAuthenticationFlag(aOther.mAuthenticationFlag)
-  , mForceOriginHeader(aOther.mForceOriginHeader)
   , mPreserveContentCodings(aOther.mPreserveContentCodings)
   , mSameOriginDataURL(aOther.mSameOriginDataURL)
   , mSkipServiceWorker(aOther.mSkipServiceWorker)
   , mSynchronous(aOther.mSynchronous)
   , mUnsafeRequest(aOther.mUnsafeRequest)
   , mUseURLCredentials(aOther.mUseURLCredentials)
   , mCreatedByFetchEvent(aOther.mCreatedByFetchEvent)
   , mContentPolicyTypeOverridden(aOther.mContentPolicyTypeOverridden)
--- a/dom/fetch/InternalRequest.h
+++ b/dom/fetch/InternalRequest.h
@@ -446,22 +446,16 @@ public:
 
   InternalHeaders*
   Headers()
   {
     return mHeaders;
   }
 
   bool
-  ForceOriginHeader()
-  {
-    return mForceOriginHeader;
-  }
-
-  bool
   SameOriginDataURL() const
   {
     return mSameOriginDataURL;
   }
 
   void
   UnsetSameOriginDataURL()
   {
@@ -645,17 +639,16 @@ private:
   RequestCredentials mCredentialsMode;
   MOZ_INIT_OUTSIDE_CTOR LoadTainting mResponseTainting;
   RequestCache mCacheMode;
   RequestRedirect mRedirectMode;
   nsString mIntegrity;
   bool mMozErrors;
   nsCString mFragment;
   MOZ_INIT_OUTSIDE_CTOR bool mAuthenticationFlag;
-  MOZ_INIT_OUTSIDE_CTOR bool mForceOriginHeader;
   MOZ_INIT_OUTSIDE_CTOR bool mPreserveContentCodings;
   MOZ_INIT_OUTSIDE_CTOR bool mSameOriginDataURL;
   MOZ_INIT_OUTSIDE_CTOR bool mSkipServiceWorker;
   MOZ_INIT_OUTSIDE_CTOR bool mSynchronous;
   MOZ_INIT_OUTSIDE_CTOR bool mUnsafeRequest;
   MOZ_INIT_OUTSIDE_CTOR bool mUseURLCredentials;
   // This is only set when a Request object is created by a fetch event.  We
   // use it to check if Service Workers are simply fetching intercepted Request
--- a/testing/web-platform/meta/cookies/samesite/fetch.html.ini
+++ b/testing/web-platform/meta/cookies/samesite/fetch.html.ini
@@ -1,16 +1,10 @@
 [fetch.html]
   [Untitled]
     expected: FAIL
 
-  [Subdomain redirecting to same-host fetches are strictly same-site]
-    expected: FAIL
-
   [Cross-site redirecting to same-host fetches are strictly same-site]
     expected: FAIL
 
   [Cross-site redirecting to subdomain fetches are strictly same-site]
     expected: FAIL
 
-  [Subdomain redirecting to cross-site fetches are cross-site]
-    expected: FAIL
-
deleted file mode 100644
--- a/testing/web-platform/meta/fetch/api/basic/request-headers.any.js.ini
+++ /dev/null
@@ -1,21 +0,0 @@
-[request-headers.any.worker.html]
-  [Fetch with GET]
-    expected: FAIL
-
-  [Fetch with HEAD]
-    expected: FAIL
-
-  [Fetch with GET and mode "cors" does not need an Origin header]
-    expected: FAIL
-
-
-[request-headers.any.html]
-  [Fetch with GET]
-    expected: FAIL
-
-  [Fetch with HEAD]
-    expected: FAIL
-
-  [Fetch with GET and mode "cors" does not need an Origin header]
-    expected: FAIL
-
deleted file mode 100644
--- a/testing/web-platform/meta/fetch/api/cors/cors-cookies-redirect.any.js.ini
+++ /dev/null
@@ -1,15 +0,0 @@
-[cors-cookies-redirect.any.worker.html]
-  [Testing credentials after cross-origin redirection with CORS and no preflight]
-    expected: FAIL
-
-  [Testing credentials after cross-origin redirection with CORS and preflight]
-    expected: FAIL
-
-
-[cors-cookies-redirect.any.html]
-  [Testing credentials after cross-origin redirection with CORS and no preflight]
-    expected: FAIL
-
-  [Testing credentials after cross-origin redirection with CORS and preflight]
-    expected: FAIL
-
deleted file mode 100644
--- a/testing/web-platform/meta/fetch/api/cors/cors-redirect.any.js.ini
+++ /dev/null
@@ -1,63 +0,0 @@
-[cors-redirect.any.html]
-  [Redirect 301: cors to another cors]
-    expected: FAIL
-
-  [Redirect 301: cors to same origin]
-    expected: FAIL
-
-  [Redirect 302: cors to another cors]
-    expected: FAIL
-
-  [Redirect 302: cors to same origin]
-    expected: FAIL
-
-  [Redirect 303: cors to another cors]
-    expected: FAIL
-
-  [Redirect 303: cors to same origin]
-    expected: FAIL
-
-  [Redirect 307: cors to another cors]
-    expected: FAIL
-
-  [Redirect 307: cors to same origin]
-    expected: FAIL
-
-  [Redirect 308: cors to another cors]
-    expected: FAIL
-
-  [Redirect 308: cors to same origin]
-    expected: FAIL
-
-
-[cors-redirect.any.worker.html]
-  [Redirect 301: cors to another cors]
-    expected: FAIL
-
-  [Redirect 301: cors to same origin]
-    expected: FAIL
-
-  [Redirect 302: cors to another cors]
-    expected: FAIL
-
-  [Redirect 302: cors to same origin]
-    expected: FAIL
-
-  [Redirect 303: cors to another cors]
-    expected: FAIL
-
-  [Redirect 303: cors to same origin]
-    expected: FAIL
-
-  [Redirect 307: cors to another cors]
-    expected: FAIL
-
-  [Redirect 307: cors to same origin]
-    expected: FAIL
-
-  [Redirect 308: cors to another cors]
-    expected: FAIL
-
-  [Redirect 308: cors to same origin]
-    expected: FAIL
-
deleted file mode 100644
--- a/testing/web-platform/meta/fetch/api/redirect/redirect-origin.any.js.ini
+++ /dev/null
@@ -1,63 +0,0 @@
-[redirect-origin.any.html]
-  [Same origin to same origin redirection 301]
-    expected: FAIL
-
-  [Other origin to same origin redirection 301]
-    expected: FAIL
-
-  [Same origin to same origin redirection 302]
-    expected: FAIL
-
-  [Other origin to same origin redirection 302]
-    expected: FAIL
-
-  [Same origin to same origin redirection 303]
-    expected: FAIL
-
-  [Other origin to same origin redirection 303]
-    expected: FAIL
-
-  [Same origin to same origin redirection 307]
-    expected: FAIL
-
-  [Other origin to same origin redirection 307]
-    expected: FAIL
-
-  [Same origin to same origin redirection 308]
-    expected: FAIL
-
-  [Other origin to same origin redirection 308]
-    expected: FAIL
-
-
-[redirect-origin.any.worker.html]
-  [Same origin to same origin redirection 301]
-    expected: FAIL
-
-  [Other origin to same origin redirection 301]
-    expected: FAIL
-
-  [Same origin to same origin redirection 302]
-    expected: FAIL
-
-  [Other origin to same origin redirection 302]
-    expected: FAIL
-
-  [Same origin to same origin redirection 303]
-    expected: FAIL
-
-  [Other origin to same origin redirection 303]
-    expected: FAIL
-
-  [Same origin to same origin redirection 307]
-    expected: FAIL
-
-  [Other origin to same origin redirection 307]
-    expected: FAIL
-
-  [Same origin to same origin redirection 308]
-    expected: FAIL
-
-  [Other origin to same origin redirection 308]
-    expected: FAIL
-