More wildcards in CORS when used without credentials

Fixes #251 and fixes #252.

Overview.html

@@ -455,6 +455,8 @@ <h4 id="terminology-headers"><span class="secno">3.1.2 </span>Headers</h4>
 <p>and whose <a href="#concept-header-value" title="concept-header-value">value</a>,
 <a href="#concept-header-parse" title="concept-header-parse">once parsed</a>, is not a failure.
 
+<p>A <dfn id="cors-non-wildcard-request-header-name">CORS non-wildcard request-header name</dfn> is `<code title="">Authorization</code>`.
+
 <p>A <dfn id="cors-safelisted-response-header-name">CORS-safelisted response-header name</dfn>, given a
 <a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
 <var>list</var>, is a <a href="#concept-header" title="concept-header">header</a>
@@ -1856,12 +1858,14 @@ <h4 id="http-new-header-syntax"><span class="secno">4.2.4 </span>HTTP new-header
 <pre>Access-Control-Request-Method    = <a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.1.1">method</a>
 Access-Control-Request-Headers   = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a>
 
-Access-Control-Allow-Origin      = origin-or-null / "*"
+wilrdcard                        = "*"
+Access-Control-Allow-Origin      = origin-or-null / wildcard
 Access-Control-Allow-Credentials = %x74.72.75.65 ; "true", case-sensitive
-Access-Control-Expose-Headers    = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a>
+Access-Control-Expose-Headers    = field-name-or-wildcard
+field-name-or-wildcard           = <a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a> / wildcard
 Access-Control-Max-Age           = <a class="external" data-anolis-spec="http-caching" href="https://tools.ietf.org/html/rfc7234#section-1.2.1">delta-seconds</a>
-Access-Control-Allow-Methods     = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.1.1">method</a>
-Access-Control-Allow-Headers     = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a></pre>
+Access-Control-Allow-Methods     = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.1.1">method</a> / wildcard
+Access-Control-Allow-Headers     = #field-name-or-wildcard</pre>
 
 
 <h4 id="cors-protocol-and-credentials"><span class="secno">4.2.5 </span>CORS protocol and credentials</h4>
@@ -1963,6 +1967,12 @@ <h4 id="cors-protocol-and-credentials"><span class="secno">4.2.5 </span>CORS pro
   <td>`<code>true</code>` is (byte) case-sensitive.
 </table>
 
+<p>Similarly, `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>`,
+`<a href="#http-access-control-allow-methods"><code title="http-access-control-allow-methods">Access-Control-Allow-Methods</code></a>`, and
+`<a href="#http-access-control-allow-headers"><code title="http-access-control-allow-headers">Access-Control-Allow-Headers</code></a>` response
+headers can only use `<code>*</code>` as value when <a href="#concept-request" title="concept-request">request</a>'s
+<a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is not "<code>include</code>".
+
 
 <h3 id="x-content-type-options-header"><span class="secno">4.3 </span>`<code title="">X-Content-Type-Options</code>` header</h3>
 
@@ -2374,13 +2384,29 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
   run these substeps:
 
   <ol>
-   <li><p>If <var>request</var>'s
-   <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> is
-   "<code title="">cors</code>", then set <var>response</var>'s
-   <a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
-   to the result of <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
-   `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` in
-   <var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.
+   <li>
+   	<p>If <var>request</var>'s
+    <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> is
+    "<code title="">cors</code>", then run these substeps:</p>
+
+    <ol>
+     <li><p>Let <var>headerNames</var> be the result <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
+     `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` in
+     <var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.
+
+     <li><p>If <var>headerNames</var> contains `<code title="">*</code>` and <var>request</var>'s
+     <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is not
+     "<code>include</code>", then set <var>response</var>'s
+     <a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
+     to all unique <a href="#concept-header" title="concept-header">header</a>
+     <a href="#concept-header-name" title="concept-header-name">names</a> in <var>response</var>'s
+     <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.</li>
+
+     <li><p>Otherwise, if <var>headerNames</var> does <em>not</em> contain `<code title="">*</code>`,
+     then set <var>response</var>'s
+     <a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
+     to <var>headerNames</var>.</p>
+    </ol>
 
    <li>
     <p>Set <var>response</var> to the following
@@ -3552,9 +3578,21 @@ <h3 id="cors-preflight-fetch"><span class="secno">5.7 </span>CORS-preflight fetc
    <li><p>If either <var>methods</var> or <var>headerNames</var> is failure,
    return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
 
+   <li><p>If <var>methods</var> is `<code>*</code>` or <var>headerNames</var> contains
+   `<code>*</code>`, and <var>request</var>'s
+   <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is "<code>include</code>",
+   then return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
+
    <li>
-    <p>If <var>methods</var> is null and <var>request</var>'s <a href="#use-cors-preflight-flag">use-CORS-preflight flag</a>
-    is set, set <var>methods</var> to <var>request</var>'s
+    <p>If one of the following is true
+
+    <ul class="brief">
+     <li><var>methods</var> is null and <var>request</var>'s <a href="#use-cors-preflight-flag">use-CORS-preflight flag</a> is
+     set
+     <li><var>methods</var> is `<code>*</code>`
+    </ul>
+
+    <p>then set <var>methods</var> to a new list containing <var>request</var>'s
     <a href="#concept-request-method" title="concept-request-method">method</a>.
 
     <p class="note no-backref">This ensures that a <a href="#cors-preflight-fetch-0">CORS-preflight fetch</a> that
@@ -3565,6 +3603,18 @@ <h3 id="cors-preflight-fetch"><span class="secno">5.7 </span>CORS-preflight fetc
    is not in <var>methods</var> and is not a <a href="#simple-method">simple method</a>, return a
    <a href="#concept-network-error" title="concept-network-error">network error</a>.
 
+   <li><p>If one of <var>request</var>'s
+   <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>'s
+   <a href="#concept-header-name" title="concept-header-name">names</a> is a
+   <a href="#cors-non-wildcard-request-header-name">CORS non-wildcard request-header name</a> and is not in <var>headerNames</var>, then
+   return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
+
+   <li><p>If <var>headerNames</var> contains `<code>*</code>`, then remove all occurances of
+   `<code>*</code>` from <var>headerNames</var> and append all unique
+   <a href="#concept-header" title="concept-header">header</a> <a href="#concept-header-name" title="concept-header-name">names</a> from
+   <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> to
+   <var>headerNames</var>.
+
    <li><p>If one of <var>request</var>'s
    <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>'
    <a href="#concept-header-name" title="concept-header-name">names</a> is not in <var>headerNames</var> and
@@ -5444,6 +5494,7 @@ <h2 class="no-num" id="acknowledgments">Acknowledgments</h2>
 Clement Pellerin,
 Collin Jackson,
 Daniel Robertson,
+Daniel Veditz,
 David Håsäther,
 David Orchard,
 Domenic Denicola,

Overview.src.html

@@ -384,6 +384,8 @@ <h4 id=terminology-headers>Headers</h4>
 <p>and whose <span title=concept-header-value>value</span>,
 <span title=concept-header-parse>once parsed</span>, is not a failure.
 
+<p>A <dfn>CORS non-wildcard request-header name</dfn> is `<code title>Authorization</code>`.
+
 <p>A <dfn>CORS-safelisted response-header name</dfn>, given a
 <span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>
 <var>list</var>, is a <span title=concept-header>header</span>
@@ -1785,12 +1787,14 @@ <h4 id=http-new-header-syntax>HTTP new-header syntax</h4>
 <pre>Access-Control-Request-Method    = <span data-anolis-spec=http>method</span>
 Access-Control-Request-Headers   = #<span data-anolis-spec=http>field-name</span>
 
-Access-Control-Allow-Origin      = origin-or-null / "*"
+wilrdcard                        = "*"
+Access-Control-Allow-Origin      = origin-or-null / wildcard
 Access-Control-Allow-Credentials = %x74.72.75.65 ; "true", case-sensitive
-Access-Control-Expose-Headers    = #<span data-anolis-spec=http>field-name</span>
+Access-Control-Expose-Headers    = field-name-or-wildcard
+field-name-or-wildcard           = <span data-anolis-spec=http>field-name</span> / wildcard
 Access-Control-Max-Age           = <span data-anolis-spec=http-caching>delta-seconds</span>
-Access-Control-Allow-Methods     = #<span data-anolis-spec=http>method</span>
-Access-Control-Allow-Headers     = #<span data-anolis-spec=http>field-name</span></pre>
+Access-Control-Allow-Methods     = #<span data-anolis-spec=http>method</span> / wildcard
+Access-Control-Allow-Headers     = #field-name-or-wildcard</pre>
 
 
 <h4>CORS protocol and credentials</h4>
@@ -1892,6 +1896,12 @@ <h4>CORS protocol and credentials</h4>
   <td>`<code>true</code>` is (byte) case-sensitive.
 </table>
 
+<p>Similarly, `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>`,
+`<code title=http-access-control-allow-methods>Access-Control-Allow-Methods</code>`, and
+`<code title=http-access-control-allow-headers>Access-Control-Allow-Headers</code>` response
+headers can only use `<code>*</code>` as value when <span title=concept-request>request</span>'s
+<span title=concept-request-credentials-mode>credentials mode</span> is not "<code>include</code>".
+
 
 <h3>`<code title>X-Content-Type-Options</code>` header</h3>
 
@@ -2303,13 +2313,29 @@ <h3>Main fetch</h3>
   run these substeps:
 
   <ol>
-   <li><p>If <var>request</var>'s
-   <span title=concept-request-response-tainting>response tainting</span> is
-   "<code title>cors</code>", then set <var>response</var>'s
-   <span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>
-   to the result of <span title=concept-header-parse>parsing</span>
-   `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` in
-   <var>response</var>'s <span title=concept-response-header-list>header list</span>.
+   <li>
+   	<p>If <var>request</var>'s
+    <span title=concept-request-response-tainting>response tainting</span> is
+    "<code title>cors</code>", then run these substeps:</p>
+
+    <ol>
+     <li><p>Let <var>headerNames</var> be the result <span title=concept-header-parse>parsing</span>
+     `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` in
+     <var>response</var>'s <span title=concept-response-header-list>header list</span>.
+
+     <li><p>If <var>headerNames</var> contains `<code title>*</code>` and <var>request</var>'s
+     <span title=concept-request-credentials-mode>credentials mode</span> is not
+     "<code>include</code>", then set <var>response</var>'s
+     <span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>
+     to all unique <span title=concept-header>header</span>
+     <span title=concept-header-name>names</span> in <var>response</var>'s
+     <span title=concept-response-header-list>header list</span>.</p></li>
+
+     <li><p>Otherwise, if <var>headerNames</var> does <em>not</em> contain `<code title>*</code>`,
+     then set <var>response</var>'s
+     <span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>
+     to <var>headerNames</var>.</p>
+    </ol>
 
    <li>
     <p>Set <var>response</var> to the following
@@ -3481,9 +3507,21 @@ <h3>CORS-preflight fetch</h3>
    <li><p>If either <var>methods</var> or <var>headerNames</var> is failure,
    return a <span title=concept-network-error>network error</span>.
 
+   <li><p>If <var>methods</var> is `<code>*</code>` or <var>headerNames</var> contains
+   `<code>*</code>`, and <var>request</var>'s
+   <span title=concept-request-credentials-mode>credentials mode</span> is "<code>include</code>",
+   then return a <span title=concept-network-error>network error</span>.
+
    <li>
-    <p>If <var>methods</var> is null and <var>request</var>'s <span>use-CORS-preflight flag</span>
-    is set, set <var>methods</var> to <var>request</var>'s
+    <p>If one of the following is true
+
+    <ul class=brief>
+     <li><var>methods</var> is null and <var>request</var>'s <span>use-CORS-preflight flag</span> is
+     set
+     <li><var>methods</var> is `<code>*</code>`
+    </ul>
+
+    <p>then set <var>methods</var> to a new list containing <var>request</var>'s
     <span title=concept-request-method>method</span>.
 
     <p class="note no-backref">This ensures that a <span>CORS-preflight fetch</span> that
@@ -3494,6 +3532,18 @@ <h3>CORS-preflight fetch</h3>
    is not in <var>methods</var> and is not a <span>simple method</span>, return a
    <span title=concept-network-error>network error</span>.
 
+   <li><p>If one of <var>request</var>'s
+   <span title=concept-request-header-list>header list</span>'s
+   <span title=concept-header-name>names</span> is a
+   <span>CORS non-wildcard request-header name</span> and is not in <var>headerNames</var>, then
+   return a <span title=concept-network-error>network error</span>.
+
+   <li><p>If <var>headerNames</var> contains `<code>*</code>`, then remove all occurances of
+   `<code>*</code>` from <var>headerNames</var> and append all unique
+   <span title=concept-header>header</span> <span title=concept-header-name>names</span> from
+   <var>request</var>'s <span title=concept-request-header-list>header list</span> to
+   <var>headerNames</var>.
+
    <li><p>If one of <var>request</var>'s
    <span title=concept-request-header-list>header list</span>'
    <span title=concept-header-name>names</span> is not in <var>headerNames</var> and
@@ -5281,6 +5331,7 @@ <h2 class=no-num>Acknowledgments</h2>
 Clement Pellerin,
 Collin Jackson,
 Daniel Robertson,
+Daniel Veditz,
 David H&aring;s&auml;ther,
 David Orchard,
 Domenic Denicola,