#612 (from OlgaTPark/14) additional fixes
This commit is contained in:
parent
06bbc2e34c
commit
53381bf934
|
@ -1318,7 +1318,10 @@ nsXMLHttpRequest::IsSafeHeader(const nsACString& header, nsIHttpChannel* httpCha
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (token.EqualsLiteral("*")) {
|
if (token.EqualsLiteral("*") &&
|
||||||
|
(mState & XML_HTTP_REQUEST_AC_WITH_CREDENTIALS) !=
|
||||||
|
XML_HTTP_REQUEST_AC_WITH_CREDENTIALS /* See this->SetWithCredentials */)
|
||||||
|
{
|
||||||
isSafe = true;
|
isSafe = true;
|
||||||
} else if (header.Equals(token, nsCaseInsensitiveCStringComparator())) {
|
} else if (header.Equals(token, nsCaseInsensitiveCStringComparator())) {
|
||||||
isSafe = true;
|
isSafe = true;
|
||||||
|
|
|
@ -1289,6 +1289,7 @@ nsCORSPreflightListener::CheckPreflightRequestApproved(nsIRequest* aRequest)
|
||||||
headerVal);
|
headerVal);
|
||||||
nsTArray<nsCString> headers;
|
nsTArray<nsCString> headers;
|
||||||
nsCCharSeparatedTokenizer headerTokens(headerVal, ',');
|
nsCCharSeparatedTokenizer headerTokens(headerVal, ',');
|
||||||
|
bool allowAllHeaders = false;
|
||||||
while(headerTokens.hasMoreTokens()) {
|
while(headerTokens.hasMoreTokens()) {
|
||||||
const nsDependentCSubstring& header = headerTokens.nextToken();
|
const nsDependentCSubstring& header = headerTokens.nextToken();
|
||||||
if (header.IsEmpty()) {
|
if (header.IsEmpty()) {
|
||||||
|
@ -1299,14 +1300,22 @@ nsCORSPreflightListener::CheckPreflightRequestApproved(nsIRequest* aRequest)
|
||||||
NS_ConvertUTF8toUTF16(header).get());
|
NS_ConvertUTF8toUTF16(header).get());
|
||||||
return NS_ERROR_DOM_BAD_URI;
|
return NS_ERROR_DOM_BAD_URI;
|
||||||
}
|
}
|
||||||
headers.AppendElement(header);
|
if (header.EqualsLiteral("*") && !mWithCredentials) {
|
||||||
|
allowAllHeaders = true;
|
||||||
|
} else {
|
||||||
|
headers.AppendElement(header);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) {
|
|
||||||
if (!headers.Contains(mPreflightHeaders[i],
|
if (!allowAllHeaders) {
|
||||||
nsCaseInsensitiveCStringArrayComparator())) {
|
const auto& comparator = nsCaseInsensitiveCStringArrayComparator();
|
||||||
LogBlockedRequest(aRequest, "CORSMissingAllowHeaderFromPreflight",
|
for (uint32_t i = 0; i < mPreflightHeaders.Length(); ++i) {
|
||||||
NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get());
|
if (!headers.Contains(mPreflightHeaders[i], comparator)) {
|
||||||
return NS_ERROR_DOM_BAD_URI;
|
LogBlockedRequest(
|
||||||
|
aRequest, "CORSMissingAllowHeaderFromPreflight",
|
||||||
|
NS_ConvertUTF8toUTF16(mPreflightHeaders[i]).get());
|
||||||
|
return NS_ERROR_DOM_BAD_URI;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue