CORS: Allow particular Range header values without a preflight
Categories
(Core :: DOM: Networking, enhancement, P3)
Tracking
()
People
(Reporter: jaffathecake, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-needed, Whiteboard: [necko-triaged])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Expected results:
Spec discussion: https://github.com/whatwg/fetch/issues/1310
Spec PR: https://github.com/whatwg/fetch/pull/1312
Tests PR: https://github.com/web-platform-tests/wpt/pull/31058
Range was added as a safe-listed header as long as the value is in a particular format, which aligns with formats the browser uses when requesting media and resuming downloads.
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
|
||
Comment 2•1 year ago
|
||
The following information seems to have sped the development of a webkit patch along, so I will re-post it here:
CORS-safelisted request-header:
https://fetch.spec.whatwg.org/#cors-safelisted-request-header
Allowed particular Range header values (simple range header value):
https://fetch.spec.whatwg.org/#simple-range-header-value
Examples:
Range: bytes=0-255
Range: bytes=255-
Hopefully it will make a patch for Gecko more likely.
|
|
||
Comment 3•1 year ago
|
||
Dev docs PR https://github.com/mdn/content/pull/14657
|
|
||
Comment 4•1 year ago
|
||
Dev docs published: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
Range (only with a simple range header value; e.g., bytes=256- or bytes=127-255)
Note: Firefox has not implemented Range as a safelisted request-header yet. See bug 1733981.
Shipped in Chromium: https://chromestatus.com/feature/5652396366626816
In trunk for WebKit: https://git.webkit.org/?p=WebKit.git;a=commit;h=2b039d303782f915fd730720f281f081aab45549
|
|
||
Comment 5•1 year ago
|
||
Edit: Correct link to WebKit: https://trac.webkit.org/changeset/292293/webkit
Description
•