Closed Bug 1460299 Opened 5 years ago Closed 3 years ago

Fetch: content-length header is being added to the safe-list


(Core :: DOM: Networking, defect, P2)

59 Branch



87 Branch
Tracking Status
firefox87 --- fixed


(Reporter: shacharz, Assigned: fli+bugzilla)


(Blocks 2 open bugs)


(Keywords: dev-doc-complete, Whiteboard: [necko-triaged], [wptsync upstream])


(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Steps to reproduce:

1. create a CORS fetch request to a url that has content-length in its response and doesn't add content-length to access-control-expose-headers
2.  content-length should be accessible in the response's headers

Actual results:

content-length is not exposed

Expected results:

When doing a CORS fetch request if content-length exists in the http response it should be exposed on the response headers even if it's not added to the access-control-expose-headers.

The spec is under change:
Component: Untriaged → DOM
Product: Firefox → Core
Priority: -- → P2
Component: DOM → DOM: Core & HTML

Who would be the most suitable person to review the changes? This is my first time here, so I'm not familiar with the process of requesting a reviewer.

Hey Forrest (and Shachar), apologies for the lack of follow-up here. Junior can most likely take a look at your patch.

Component: DOM: Core & HTML → DOM: Networking
Flags: needinfo?(juhsu)

Hello Forrest, do you want to continue the process?
I can do the review. Just set the reviewer to JuniorHsu in phabricator.

Flags: needinfo?(juhsu) → needinfo?(forrest)
Blocks: fetch

Sorry for the extended delay. I'm pretty sure I accidentally deleted the notification emails a while back when mass-deleting old emails, and I'm just revisiting this.

Yes, I'm interested in moving forward with this patch. However, it appears that Junior's account is disabled in Phabricator. Is there anyone else I can set as the reviewer?

Flags: needinfo?(forrest)
Assignee: nobody → forrest

I think Andrea [baku] might be able to review this based on some blame info for InternalHeaders.cpp. I added them as a reviewer.

Severity: normal → S3
Whiteboard: [necko-triaged]

Hi all, what's the status on this issue? Is this content-length now added as a safelisted header now?

ehsueh, thanks for the reminder. Valentin, can you ensure lands? Looks like all is in order there.

Flags: needinfo?(valentin.gosu)
Keywords: dev-doc-needed
Flags: needinfo?(valentin.gosu)
Pushed by
Add content-length as a CORS-safelisted response header. r=valentin,baku
Created web-platform-tests PR for changes under testing/web-platform/tests
Whiteboard: [necko-triaged] → [necko-triaged], [wptsync upstream]
Upstream PR was closed without merging

I've updated that test-case to expect passing results.

Flags: needinfo?(forrest)
Pushed by
Add content-length as a CORS-safelisted response header. r=valentin,baku
Remove cors-filtering.sub.any.js.ini a=test-only

Oh thanks! I pushed the change and didn't notice that it was already closed after you made the change. You can ignore the recent change on phabricator.

Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
Upstream PR merged by moz-wptsync-bot

FF87 docs for this are being done as part of Still waiting on discussion on BCD. Note also a little scope creep in docs for this one because I found the existing descriptions for the CORS response header safelist a bit confusing.

Setting this one to DDC; the BCD work is very nearly there.

You need to log in before you can comment on or make changes to this bug.