Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safelist Content-Length header #626

Merged
merged 3 commits into from
May 9, 2018
Merged

Safelist Content-Length header #626

merged 3 commits into from
May 9, 2018

Conversation

benjamingr
Copy link
Member

@benjamingr benjamingr commented Nov 6, 2017
edited by pr-preview bot
Loading

Fixes: #622

Preview | Diff

annevk
annevk requested changes Nov 7, 2017
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, but this is a little wrong. Also, would you like to add your name to the Acknowledgments section?

fetch.bs Outdated
@@ -472,7 +473,6 @@ is a <a>byte-case-insensitive</a> match for one of
<li>`<a http-header><code>Access-Control-Request-Headers</code></a>`
<li>`<a http-header><code>Access-Control-Request-Method</code></a>`
<li>`<code>Connection</code>`
<li>`<code>Content-Length</code>`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't remove this, it's still a forbidden header name.

@annevk
Copy link
Member

annevk commented Nov 7, 2017

For tests I suspect there are resources that need changes, fetch/api/cors/cors-filtering.js for sure. Not entirely sure what else. Fixing that, adding some tests, and noting in implementation bugs that there might be more fallout we haven't spotted is sufficient I think.

@benjamingr
Copy link
Member Author

Just to be sure @annevk - that would be a separate PR changing https://github.com/w3c/web-platform-tests/blob/master/fetch/api/cors/cors-filtering.js#L59 ?

@annevk
Copy link
Member

annevk commented Nov 7, 2017

Yeah, for normative changes there also needs to be a PR against web-platform-tests ensuring the change is tested (and any existing tests that need to be modified are modified) and browser bugs need to be filed pointing to both PRs ensuring everyone is notified.

Let me know how much of that you're willing to take on. I can help.

@annevk
Copy link
Member

annevk commented Nov 7, 2017

At a high level this is documented at https://whatwg.org/working-mode#changes by the way, but perhaps we should also have a more concrete day-to-day guide.

@benjamingr
Copy link
Member Author

Let me know how much of that you're willing to take on. I can help.

I'm looking at this as an opportunity to learn the process better - if this gets annoying feel free to go ahead and make changes. I'll try to follow up with the tests tomorrow morning.

@annevk
Copy link
Member

annevk commented Jan 6, 2018

@benjamingr did you get around to making tests?

@benjamingr
Copy link
Member Author

@annevk sorry, not yet :(

@annevk annevk added security/privacy There are security or privacy implications needs tests Moving the issue forward requires someone to write tests labels Apr 12, 2018
shacharz added a commit to shacharz/web-platform-tests that referenced this pull request May 9, 2018
@shacharz
expose content-length on a cors request by default
aa5cc1c 
related to whatwg/fetch#626
@shacharz shacharz mentioned this pull request May 9, 2018
Merged
@shacharz
Copy link

shacharz commented May 9, 2018
edited
Loading

Chrome - https://bugs.chromium.org/p/chromium/issues/detail?id=841308
Firefox - https://bugzilla.mozilla.org/show_bug.cgi?id=1460299
Edge - https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17440391/
Webkit - https://bugs.webkit.org/show_bug.cgi?id=185473

@annevk
Copy link
Member

annevk commented May 9, 2018

@shacharz great, thanks! Could you file a bug against https://bugs.webkit.org/enter_bug.cgi?product=WebKit&component=HTML%20DOM too?

@shacharz
Copy link

shacharz commented May 9, 2018

@shacharz great, thanks! Could you file a bug against https://bugs.webkit.org/enter_bug.cgi?product=WebKit&component=HTML%20DOM too?

updated

@annevk annevk removed the needs tests Moving the issue forward requires someone to write tests label May 9, 2018
@annevk annevk merged commit 3a896ef into whatwg:master May 9, 2018
@annevk
Copy link
Member

annevk commented May 9, 2018

Thanks @benjamingr and @shacharz; hopefully this small change is picked up quickly by everyone.

annevk pushed a commit to web-platform-tests/wpt that referenced this pull request May 9, 2018
@shacharz @annevk
CORS: safelist Content-Length header
407ecdf 
See whatwg/fetch#626 for details.
@benjamingr
Copy link
Member Author

Awesome :) Thanks and thanks @shacharz

@benjamingr benjamingr deleted the patch-1 branch May 9, 2018 16:24
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request May 18, 2018
@shacharz @jgraham
Bug 1460300 [wpt PR 10930] - expose content-length on a cors request …
6adf155 
…by default, a=testonly

Automatic update from web-platform-testsCORS: safelist Content-Length header

See whatwg/fetch#626 for details.
--

wpt-commits: 407ecdff87af8aeceaa07cbc71aac9ec355d4334
wpt-pr: 10930
sole pushed a commit to sole/gecko that referenced this pull request May 21, 2018
@shacharz @jgraham
Bug 1460300 [wpt PR 10930] - expose content-length on a cors request …
778d184 
…by default, a=testonly

Automatic update from web-platform-testsCORS: safelist Content-Length header

See whatwg/fetch#626 for details.
--

wpt-commits: 407ecdff87af8aeceaa07cbc71aac9ec355d4334
wpt-pr: 10930
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this pull request Oct 3, 2019
@marco-c
Bug 1460300 [wpt PR 10930] - expose content-length on a cors request …
e5d3a69 
…by default, a=testonly

Automatic update from web-platform-testsCORS: safelist Content-Length header

See whatwg/fetch#626 for details.
--

wpt-commits: 407ecdff87af8aeceaa07cbc71aac9ec355d4334
wpt-pr: 10930

UltraBlame original commit: b784d4f3615eff3bc00f986fc460fd48454075a1
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this pull request Oct 3, 2019
@marco-c
Bug 1460300 [wpt PR 10930] - expose content-length on a cors request …
e559a8b 
…by default, a=testonly

Automatic update from web-platform-testsCORS: safelist Content-Length header

See whatwg/fetch#626 for details.
--

wpt-commits: 407ecdff87af8aeceaa07cbc71aac9ec355d4334
wpt-pr: 10930

UltraBlame original commit: b784d4f3615eff3bc00f986fc460fd48454075a1
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this pull request Oct 3, 2019
@marco-c
Bug 1460300 [wpt PR 10930] - expose content-length on a cors request …
dc0ceeb 
…by default, a=testonly

Automatic update from web-platform-testsCORS: safelist Content-Length header

See whatwg/fetch#626 for details.
--

wpt-commits: 407ecdff87af8aeceaa07cbc71aac9ec355d4334
wpt-pr: 10930

UltraBlame original commit: b784d4f3615eff3bc00f986fc460fd48454075a1
@mikoMK mikoMK mentioned this pull request Oct 30, 2020
Closed
@m-mohr m-mohr mentioned this pull request Nov 20, 2020
Merged
@hamishwillee hamishwillee mentioned this pull request Mar 1, 2021
Closed
@Faless Faless mentioned this pull request Apr 3, 2021
Merged
This was referenced Sep 30, 2021
Merged
Closed
Merged
@github-actions github-actions bot mentioned this pull request Apr 23, 2022
Merged
@lidel lidel mentioned this pull request May 19, 2022
Merged
rwv added a commit to rwv/translated-content that referenced this pull request Aug 23, 2022
@rwv
Add Content-Length for Simple Response Header
12c4f72 
Content-Length was not part of the original set of safelisted response headers
See Also whatwg/fetch#626
@rwv rwv mentioned this pull request Aug 23, 2022
Merged
@github-actions github-actions bot mentioned this pull request Aug 23, 2022
Closed
@github-actions github-actions bot mentioned this pull request Sep 12, 2022
Merged
@github-actions github-actions bot mentioned this pull request Sep 30, 2022
Merged
wdscxsj added a commit to wdscxsj/en.javascript.info that referenced this pull request Oct 11, 2022
@wdscxsj
Content-Length is now a CORS-safelisted response header
7b0f9e5 
See [MDN](https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header) and [whatwg/fetch](whatwg/fetch#626).
@wdscxsj wdscxsj mentioned this pull request Oct 11, 2022
Merged
@github-actions github-actions bot mentioned this pull request Feb 21, 2023
Merged
@github-actions github-actions bot mentioned this pull request Sep 12, 2023
Merged
@github-actions github-actions bot mentioned this pull request Nov 13, 2023
Merged
This was referenced Apr 27, 2024
Merged
Merged
This was referenced Jul 25, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annevk annevk annevk approved these changes

Assignees
No one assigned
Labels
security/privacy There are security or privacy implications
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@benjamingr @annevk @shacharz