XMLHttpRequest: Content-Type can require a preflight #5070
Conversation
|
Notifying @Manishearth, @caitp, @emilio, @hallvors, @ibelem, @jdm, @jungkees, @kangxu, @mathiasbynens, @ronkorving, and @wisniewskit. (Learn how reviewing works.) |
|
@bzbarsky you may want to review this since you last modified this test in https://bugzilla.mozilla.org/show_bug.cgi?id=1328761. I also think you may have introduced a same-origin policy violation in Firefox since you can't just preserve Content-Type when its value is not safelisted as per https://fetch.spec.whatwg.org/#cors-safelisted-request-header. I'm happy to file a bug by the way. (As a side effect Chrome now passes all these tests and Safari only fails two.) |
Firefox (nightly channel)Testing web-platform-tests at revision d94eee3f3d94c3bfa544ad41b53fa209a985f0f7 |
Chrome (unstable channel)Testing web-platform-tests at revision d94eee3f3d94c3bfa544ad41b53fa209a985f0f7 |
My change linked to above just preserved the "Content-Type not set" state across redirects, instead of converting it to "Content-Type set to empty string", which is what Firefox used to do before my change. It didn't change the behavior of any cases in which the header was set. Looking at Firefox code, we use the concept at https://fetch.spec.whatwg.org/#cors-safelisted-request-header to decide whether to preflight or not. I'm not sure whether we use it for anything else. Bug report is probably a good idea. That said, I see nothing in the spec about special handling of these on redirect per se, just in terms of checking what the preflight response looks like, right? |
| } | ||
|
|
||
| if (typeof body == "string") { | ||
| } else if (typeof body == "string") { |
There was a problem hiding this comment.
Why the else after return here and below?
| var arr = Array.prototype.slice.call(body); | ||
| return { body: String.fromCharCode.apply(null, arr), type: "NO" } | ||
| } else { | ||
| return { body: "EXTRACT NOT IMPLEMENTED", type: "EXTRACT NOT IMPLEMENTED" } |
There was a problem hiding this comment.
And this long line instead of the more readable two lines?
There was a problem hiding this comment.
We usually use 100 columns.
There was a problem hiding this comment.
I guess I can revert these changes though, they are editorial only.
There was a problem hiding this comment.
Fwiw, the wrapping of the body/type bits wasn't because it was too wide; it was just because it's more readable (for me at least) to have the different props on different lines.... I don't feel super-strongly about it, though.
| if (client.readyState == 4) { | ||
| client.onreadystatechange = t.step_func(() => { | ||
| if (client.readyState == 4) { | ||
| if(!setExplicitType) { |
| assert_equals(client.getResponseHeader("x-request-content-type"), expectedType); | ||
| assert_equals(client.getResponseHeader("x-request-data"), expectedBody); | ||
| } else { | ||
| // Content-Type is not safelisted by corsenabled.py -> network error |
There was a problem hiding this comment.
We should probably have a test for the case in which it is safelisted.
We should also have a test for the case in which it's not safelisted but one of the safe values was set.
There was a problem hiding this comment.
The latter is already covered by the text/plain example.
There was a problem hiding this comment.
We have an example that makes an explicit setRequestHeader with text/plain as the value?
There was a problem hiding this comment.
No we don't. Per the standard they're equivalent, but I suppose it doesn't hurt to have both.
Yeah, the problem is that Firefox doesn't appear to do a preflight or maybe it does a preflight, but does not require |
|
Hrm. Looking at the code some more, it really looks like this should work in Firefox; we're using one place both to decide that this header needs a preflight and that it's unsafe and needs whitelisting Please do get that bug filed! |
|
Actually, I filed it. https://bugzilla.mozilla.org/show_bug.cgi?id=1345788 |
|
Thanks, I was planning on getting there, still working through all my GitHub backlog. |
|
Yeah, I got sucked into debugging it, so figured I might as well file with the info I had. ;) |
annevk
force-pushed
the
annevk/xhr-content-type-cross-origin
branch
from
e654de1 to
3d29fdd
Compare
|
I think I covered all bases now. I'll file a bug on WebKit once you approve this. |
| } | ||
| client.send(body) | ||
| }) | ||
| }, document.title + " (" + name + ")") | ||
| } | ||
| redirect("301") |
There was a problem hiding this comment.
Didn't you change behavior for this call? It used to set the Content-Type header, but now no longer does. Is that purposeful?
There was a problem hiding this comment.
Yeah, because that made them all fail, but I'll add some more tests.
|
And in particular, we no longer have GET tests with explicit content-type in there now, right? |
|
Okay, I covered some more ground. |
|
Looks great, thanks! |
|
Filed https://bugs.webkit.org/show_bug.cgi?id=169420 on the WebKit failures. |
Supersedes #4801.