Commit d8e56007 authored by Kershaw Chang's avatar Kershaw Chang
Browse files

Bug 1687364 - Authorization header can't be wildcarded for...

Bug 1687364 - Authorization header can't be wildcarded for Access-Control-Allow-Headers, r=necko-reviewers,valentin

Differential Revision: https://phabricator.services.mozilla.com/D102932
parent 794e55d2
Loading
Loading
Loading
Loading
+1 −0
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ CORSPreflightDidNotSucceed3=Cross-Origin Request Blocked: The Same Origin Policy
CORSInvalidAllowMethod=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: invalid token ‘%2$S’ in CORS header ‘Access-Control-Allow-Methods’).
CORSInvalidAllowHeader=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: invalid token ‘%2$S’ in CORS header ‘Access-Control-Allow-Headers’).
CORSMissingAllowHeaderFromPreflight2=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: header ‘%2$S’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).
CORSAllowHeaderFromPreflightDeprecation=Cross-Origin Request Warning: The Same Origin Policy will disallow reading the remote resource at %1$S soon. (Reason: When the `Access-Control-Allow-Headers` is `*`, the `Authorization` header is not covered. To include the `Authorization` header, it must be explicitly listed in CORS header `Access-Control-Allow-Headers`).

# LOCALIZATION NOTE: Do not translate "Strict-Transport-Security", "HSTS", "max-age" or "includeSubDomains"
STSUnknownError=Strict-Transport-Security: An unknown error occurred processing the header specified by the site.
+7 −0
Original line number Diff line number Diff line
@@ -12741,6 +12741,13 @@
  value: 60000
  mirror: always

# When the Access-Control-Allow-Headers is wildcard (*), whether to allow
# CORS-protected requests with the Authorization request header.
- name: network.cors_preflight.authorization_covered_by_wildcard
  type: bool
  value: true
  mirror: always

#---------------------------------------------------------------------------
# Prefs starting with "nglayout."
#---------------------------------------------------------------------------
+2 −2
Original line number Diff line number Diff line
@@ -1406,8 +1406,8 @@ void DocumentLoadListener::ApplyPendingFunctions(
                                                      aParams.mMessageCategory);
          },
          [reporter](const LogBlockedCORSRequestParams& aParams) {
            Unused << reporter->LogBlockedCORSRequest(aParams.mMessage,
                                                      aParams.mCategory);
            Unused << reporter->LogBlockedCORSRequest(
                aParams.mMessage, aParams.mCategory, aParams.mIsWarning);
          },
          [reporter](const LogMimeTypeMismatchParams& aParams) {
            Unused << reporter->LogMimeTypeMismatch(
+4 −1
Original line number Diff line number Diff line
@@ -246,10 +246,12 @@ class DocumentLoadListener : public nsIInterfaceRequestor,
  }

  nsresult LogBlockedCORSRequest(const nsAString& aMessage,
                                 const nsACString& aCategory) override {
                                 const nsACString& aCategory,
                                 bool aIsWarning) override {
    LogBlockedCORSRequestParams params;
    params.mMessage = aMessage;
    params.mCategory = aCategory;
    params.mIsWarning = aIsWarning;
    mSecurityWarningFunctions.AppendElement(
        SecurityWarningFunction{VariantIndex<1>{}, std::move(params)});
    return NS_OK;
@@ -473,6 +475,7 @@ class DocumentLoadListener : public nsIInterfaceRequestor,
  struct LogBlockedCORSRequestParams {
    nsString mMessage;
    nsCString mCategory;
    bool mIsWarning;
  };

  struct LogMimeTypeMismatchParams {
+2 −1
Original line number Diff line number Diff line
@@ -108,7 +108,8 @@ class HttpChannelSecurityWarningReporter : public nsISupports {
  [[nodiscard]] virtual nsresult ReportSecurityMessage(
      const nsAString& aMessageTag, const nsAString& aMessageCategory) = 0;
  [[nodiscard]] virtual nsresult LogBlockedCORSRequest(
      const nsAString& aMessage, const nsACString& aCategory) = 0;
      const nsAString& aMessage, const nsACString& aCategory,
      bool aIsWarning = false) = 0;
  [[nodiscard]] virtual nsresult LogMimeTypeMismatch(
      const nsACString& aMessageName, bool aWarning, const nsAString& aURL,
      const nsAString& aContentType) = 0;
Loading