Closed Bug 1762794 Opened 3 years ago Closed 3 years ago

Fetch CORS preflight fails with range header

Categories

(Core :: DOM: Networking, defect)

Firefox 99
defect

Tracking

()

RESOLVED DUPLICATE of bug 1733981

People

(Reporter: jon.ronnenberg, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Steps to reproduce:

I think I found a bug in the Fetch implementation in Firefox where the range header is not recognized as a CORS-safelisted request-header.

According to https://fetch.spec.whatwg.org/#cors-safelisted-request-header, range is considered a CORS-safelisted request-header if it is a simple range header value (https://fetch.spec.whatwg.org/#simple-range-header-value). E.g. `bytes=0-127' is a simple range header value.

I have created a test-case at https://dotnetcarpenter.github.io/bug-firefox-fetch-cors/.

  1. Press the "Fetch" button and see the result under the "Result" label.
  2. Use DevTools to see the error, "CORS Preflight Did Not Succeed".

Source code is at https://github.com/dotnetCarpenter/bug-firefox-fetch-cors.

const url = 'https://raw.githubusercontent.com/OpenXcom/OpenXcom/94640aab1279ae268e0420a7b5c99cc44eb09473/bin/common/SoldierName/Danish.nam';

const appHtml     = document.querySelector ('#app');
const fetchButton = appHtml.querySelector ('#fetch');
const resultPre   = appHtml.querySelector ('#result');

fetchButton.addEventListener ('click', () => {
  fetch (url, {
    headers: {
      range: 'bytes=0-127'
    }
  }).then (response => {
      response.text ()
        .then (text => {
          resultPre.textContent = text;
        });
    })
    .catch (error => {
      resultPre.textContent = `Error: ${error.message}`;
    });
});

Actual results:

  1. Go to https://github.com/dotnetCarpenter/bug-firefox-fetch-cors
  2. Clicking the button will fetch the first 128 bytes from raw.githubusercontent.com/OpenXcom/OpenXcom/bin/common/SoldierName/Danish.nam, or in the case of Firefox 99.0b8 (64-bit), throw an error.

Expected results:

In Chrome, you will get the following result (content of the <pre> element):

lookWeights:
  - 49
  - 49
  - 2
  - 0
maleFirst:
  - Absalon
  - Adam
  - Adolf
  - Albert
  - Alex
  - Alexander
  - Alf
  - A

The first 128 bytes of https://raw.githubusercontent.com/OpenXcom/OpenXcom/94640aab1279ae268e0420a7b5c99cc44eb09473/bin/common/SoldierName/Danish.nam

The following two reports seems relevant but as far as I can see, they do not mention the range header at all.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Networking
Product: Firefox → Core

Oops.. In the "Actual results:" section, the first URL should have been https://dotnetcarpenter.github.io/bug-firefox-fetch-cors/

Thanks for the report.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.