Closed Bug 1460299 Opened 7 years ago Closed 4 years ago

Fetch: content-length header is being added to the safe-list

Categories

(Core :: DOM: Networking, defect, P2)

Product:
Core
Component:
DOM: Networking
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox87 --- fixed

People

(Reporter: shacharz, Assigned: fli+bugzilla)

References

(Blocks 2 open bugs)

Details

(Keywords: dev-doc-complete, Whiteboard: [necko-triaged], [wptsync upstream])

Attachments

(2 files)

Bug 1460299 - Add content-length as a CORS-safelisted response header.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1460299 - Remove cors-filtering.sub.any.js.ini a=test-only
48 bytes, text/x-phabricator-request
Details | Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Steps to reproduce: 1. create a CORS fetch request to a url that has content-length in its response and doesn't add content-length to access-control-expose-headers 2. content-length should be accessible in the response's headers Actual results: content-length is not exposed Expected results: When doing a CORS fetch request if content-length exists in the http response it should be exposed on the response headers even if it's not added to the access-control-expose-headers. The spec is under change: https://github.com/whatwg/fetch/pull/626 https://github.com/w3c/web-platform-tests/pull/10930
Blocks: ServiceWorkers-compat
Component: Untriaged → DOM
Product: Firefox → Core
Priority: -- → P2
Component: DOM → DOM: Core & HTML

Who would be the most suitable person to review the changes? This is my first time here, so I'm not familiar with the process of requesting a reviewer.

Hey Forrest (and Shachar), apologies for the lack of follow-up here. Junior can most likely take a look at your patch.

Component: DOM: Core & HTML → DOM: Networking
Flags: needinfo?(juhsu)

Hello Forrest, do you want to continue the process?
I can do the review. Just set the reviewer to JuniorHsu in phabricator.

Flags: needinfo?(juhsu) → needinfo?(forrest)
Blocks: fetch

Sorry for the extended delay. I'm pretty sure I accidentally deleted the notification emails a while back when mass-deleting old emails, and I'm just revisiting this.

Yes, I'm interested in moving forward with this patch. However, it appears that Junior's account is disabled in Phabricator. Is there anyone else I can set as the reviewer?

Flags: needinfo?(forrest)
Assignee: nobody → forrest
Status: NEW → ASSIGNED

I think Andrea [baku] might be able to review this based on some blame info for InternalHeaders.cpp. I added them as a reviewer.

Severity: normal → S3
Whiteboard: [necko-triaged]

Hi all, what's the status on this issue? Is this content-length now added as a safelisted header now?

ehsueh, thanks for the reminder. Valentin, can you ensure https://phabricator.services.mozilla.com/D58492 lands? Looks like all is in order there.

Flags: needinfo?(valentin.gosu)
Flags: needinfo?(valentin.gosu)
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/aefbe65483ef Add content-length as a CORS-safelisted response header. r=valentin,baku
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/27481 for changes under testing/web-platform/tests
Whiteboard: [necko-triaged] → [necko-triaged], [wptsync upstream]
Upstream PR was closed without merging

I've updated that test-case to expect passing results.

Flags: needinfo?(forrest)
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/4615f67be1a8 Add content-length as a CORS-safelisted response header. r=valentin,baku https://hg.mozilla.org/integration/autoland/rev/3b0711521076 Remove cors-filtering.sub.any.js.ini a=test-only

Oh thanks! I pushed the change and didn't notice that it was already closed after you made the change. You can ignore the recent change on phabricator.

https://hg.mozilla.org/mozilla-central/rev/4615f67be1a8
https://hg.mozilla.org/mozilla-central/rev/3b0711521076

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox87: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
Upstream PR merged by moz-wptsync-bot

FF87 docs for this are being done as part of https://github.com/mdn/content/pull/2766. Still waiting on discussion on BCD. Note also a little scope creep in docs for this one because I found the existing descriptions for the CORS response header safelist a bit confusing.

Setting this one to DDC; the BCD work is very nearly there.

Keywords: dev-doc-neededdev-doc-complete
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: