Closed Bug 1733981 Opened 3 years ago Closed 10 months ago

CORS: Allow particular Range header values without a preflight

Tracking

()

Status:

RESOLVED FIXED

Milestone:

117 Branch

Tracking Flags:

Tracking

Status

firefox117

---

fixed

People

(Reporter: jaffathecake, Assigned: dlrobertson)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, Whiteboard: [necko-triaged])

Attachments

(1 file)

Bug 1733981: Allow single range header values without preflight. r?twisniewski,#necko-reviewers 10 months ago Dan Robertson (:dlrobertson) 48 bytes, text/x-phabricator-request		Details \| Review

Jake Archibald

Reporter

Description

•

3 years ago

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36

Expected results:

Spec discussion: https://github.com/whatwg/fetch/issues/1310
Spec PR: https://github.com/whatwg/fetch/pull/1312
Tests PR: https://github.com/web-platform-tests/wpt/pull/31058

Range was added as a safe-listed header as long as the value is in a particular format, which aligns with formats the browser uses when requesting media and resuming downloads.

Anne (:annevk)

Updated

•

3 years ago

Status: UNCONFIRMED → NEW

Ever confirmed: true

Keywords: dev-doc-needed

Dragana Damjanovic [:dragana]

Updated

•

3 years ago

Severity: -- → N/A

Priority: -- → P3

Whiteboard: [necko-triaged]

Tom S [:evilpie]

Updated

•

2 years ago

Blocks: fetch

dotnetCarpenter

Comment 2

•

2 years ago

The following information seems to have sped the development of a webkit patch along, so I will re-post it here:

CORS-safelisted request-header:
https://fetch.spec.whatwg.org/#cors-safelisted-request-header

Allowed particular Range header values (simple range header value):
https://fetch.spec.whatwg.org/#simple-range-header-value

Examples:

Range: bytes=0-255

Range: bytes=255-

Hopefully it will make a patch for Gecko more likely.

dotnetCarpenter

Comment 3

•

2 years ago

Dev docs PR https://github.com/mdn/content/pull/14657

Karl Tomlinson (:karlt)

Updated

•

2 years ago

Comment 4

•

2 years ago

Dev docs published: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

Range (only with a simple range header value; e.g., bytes=256- or bytes=127-255)
Note: Firefox has not implemented Range as a safelisted request-header yet. See bug 1733981.

Shipped in Chromium: https://chromestatus.com/feature/5652396366626816
In trunk for WebKit: https://git.webkit.org/?p=WebKit.git;a=commit;h=2b039d303782f915fd730720f281f081aab45549

dotnetCarpenter

Comment 5

•

2 years ago

Edit: Correct link to WebKit: https://trac.webkit.org/changeset/292293/webkit

Karl Tomlinson (:karlt)

Updated

•

2 years ago

Depends on: CVE-2022-45403

Dan Robertson (:dlrobertson)

Assignee

Updated

•

10 months ago

Comment 6

•

10 months ago

Attached file Bug 1733981: Allow single range header values without preflight. r?twisniewski,#necko-reviewers — Details

The Range header was added as a safe-listed header as long as the value
is in a particular format. Update IsCORSSafelistedRequestHeader
implementations to account for this.

Phabricator Automation

Updated

•

10 months ago

Assignee: nobody → drobertson

Status: NEW → ASSIGNED

Pulsebot

Comment 7

•

10 months ago

Pushed by drobertson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ee68eebc7bfd
Allow single range header values without preflight. r=twisniewski,necko-reviewers,kershaw

Pulsebot

Comment 8

•

10 months ago

Backout by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2f3294fbb670
Backed out changeset ee68eebc7bfd for causing range related wpt unexpected passes. CLOSED TREE

Cosmin Sabou [:CosminS]

Comment 9

•

10 months ago

Backed out for causing range related wpt unexpected passes.

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&revision=ee68eebc7bfd59157569f7de331974b06e765482&searchStr=wpt&test_paths=%2Ffetch%2Frange&selectedTaskRun=Y-kmF8pRRZ2joGcNOFesiA.0

Failure logs:

Backout link: https://hg.mozilla.org/integration/autoland/rev/2f3294fbb670

Flags: needinfo?(drobertson)

Dan Robertson (:dlrobertson)

Assignee

Comment 10

•

10 months ago

Ah, missed a test that should be passing now.

Flags: needinfo?(drobertson)

Pulsebot

Comment 11

•

10 months ago

Pushed by drobertson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/87f35bfe2247
Allow single range header values without preflight. r=twisniewski,necko-reviewers,kershaw

Norisz Fay [:noriszfay]

Comment 12

•

10 months ago

Backed out for causing failures on general.any.serviceworker.html

Backout link

Push with failures

Failure log

Flags: needinfo?(drobertson)

Dan Robertson (:dlrobertson)

Assignee

Comment 13

•

10 months ago

Looks like I was too aggressive in my wpt metadata pruning... The test is failing due to bug 1465074. I'll look to see how easy it would be to solve that bug as well... Otherwise I'll just reduce the wpt test metadata pruning

Flags: needinfo?(drobertson)

Pulsebot

Comment 14

•

10 months ago

Pushed by drobertson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cd0d5fa97119
Allow single range header values without preflight. r=twisniewski,necko-reviewers,kershaw

Sandor Molnar[:smolnar]

Comment 15

•

10 months ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/cd0d5fa97119

Status: ASSIGNED → RESOLVED

Closed: 10 months ago

status-firefox117: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 117 Branch

Brian Thomas Smith [bsmth]

Comment 16

•

8 months ago

Other MDN docs changes can be tracked in the following GitHub issue: https://github.com/mdn/content/issues/28281

Brian Thomas Smith [bsmth]

Updated

•

8 months ago

Keywords: dev-doc-needed → dev-doc-complete

You need to log in before you can comment on or make changes to this bug.