Fetch CORS preflight fails with range header
Categories
(Core :: DOM: Networking, defect)
Tracking
()
People
(Reporter: jon.ronnenberg, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Steps to reproduce:
I think I found a bug in the Fetch implementation in Firefox where the range header is not recognized as a CORS-safelisted request-header.
According to https://fetch.spec.whatwg.org/#cors-safelisted-request-header, range
is considered a CORS-safelisted request-header if it is a simple range header value (https://fetch.spec.whatwg.org/#simple-range-header-value). E.g. `bytes=0-127' is a simple range header value.
I have created a test-case at https://dotnetcarpenter.github.io/bug-firefox-fetch-cors/.
- Press the "Fetch" button and see the result under the "Result" label.
- Use DevTools to see the error, "CORS Preflight Did Not Succeed".
Source code is at https://github.com/dotnetCarpenter/bug-firefox-fetch-cors.
const url = 'https://raw.githubusercontent.com/OpenXcom/OpenXcom/94640aab1279ae268e0420a7b5c99cc44eb09473/bin/common/SoldierName/Danish.nam';
const appHtml = document.querySelector ('#app');
const fetchButton = appHtml.querySelector ('#fetch');
const resultPre = appHtml.querySelector ('#result');
fetchButton.addEventListener ('click', () => {
fetch (url, {
headers: {
range: 'bytes=0-127'
}
}).then (response => {
response.text ()
.then (text => {
resultPre.textContent = text;
});
})
.catch (error => {
resultPre.textContent = `Error: ${error.message}`;
});
});
Actual results:
- Go to https://github.com/dotnetCarpenter/bug-firefox-fetch-cors
- Clicking the button will fetch the first 128 bytes from raw.githubusercontent.com/OpenXcom/OpenXcom/bin/common/SoldierName/Danish.nam, or in the case of Firefox 99.0b8 (64-bit), throw an error.
Expected results:
In Chrome, you will get the following result (content of the <pre> element):
lookWeights:
- 49
- 49
- 2
- 0
maleFirst:
- Absalon
- Adam
- Adolf
- Albert
- Alex
- Alexander
- Alf
- A
The first 128 bytes of https://raw.githubusercontent.com/OpenXcom/OpenXcom/94640aab1279ae268e0420a7b5c99cc44eb09473/bin/common/SoldierName/Danish.nam
Reporter | ||
Comment 1•3 years ago
|
||
The following two reports seems relevant but as far as I can see, they do not mention the range header at all.
Comment 2•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Reporter | ||
Comment 3•3 years ago
|
||
Oops.. In the "Actual results:" section, the first URL should have been https://dotnetcarpenter.github.io/bug-firefox-fetch-cors/
Reporter | ||
Comment 4•3 years ago
|
||
The relevant failing test-case on Web Platform Tests (wpt) is here: https://wpt.fyi/results/cors/cors-safelisted-request-header.any.html?label=experimental&label=master&aligned
Source:
Comment 5•3 years ago
|
||
Thanks for the report.
Description
•