Fetch: ensure preflight is required for Authorization/Range

annevk · annevk · commit 42837d756654 · 2021-01-19T13:25:44.000+01:00
Plus some minor cleanup. We will likely have to treat Range as a special case for media elements (see whatwg/fetch#145) so creating this to ensure that only happens when Range is set by the user agent.
diff --git a/fetch/api/cors/resources/not-cors-safelisted.json b/fetch/api/cors/resources/not-cors-safelisted.json
@@ -3,9 +3,11 @@
   ["accept", "012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678"],
   ["accept-language", "\u0001"],
   ["accept-language", "@"],
+  ["authorization", "basics"],
   ["content-language", "\u0001"],
   ["content-language", "@"],
   ["content-type", "text/html"],
   ["content-type", "text/plain; long=0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901"],
+  ["range", "bytes 0-"],
   ["test", "hi"]
 ]
diff --git a/fetch/api/credentials/authentication-basic.any.js b/fetch/api/credentials/authentication-basic.any.js
@@ -1,11 +1,10 @@
 // META: global=window,worker
-// META: script=../resources/utils.js
 
 function basicAuth(desc, user, pass, mode, status) {
   promise_test(function(test) {
     var headers = { "Authorization": "Basic " + btoa(user + ":" + pass)};
     var requestInit = {"credentials": mode, "headers": headers};
-    return fetch(RESOURCES_DIR + "authentication.py?realm=test", requestInit).then(function(resp) {
+    return fetch("../resources/authentication.py?realm=test", requestInit).then(function(resp) {
         assert_equals(resp.status, status, "HTTP status is " + status);
         assert_equals(resp.type , "basic", "Response's type is basic");
     });
@@ -15,3 +14,4 @@ function basicAuth(desc, user, pass, mode, status) {
 basicAuth("User-added Authorization header with include mode", "user", "password", "include", 200);
 basicAuth("User-added Authorization header with same-origin mode", "user", "password", "same-origin", 200);
 basicAuth("User-added Authorization header with omit mode", "user", "password", "omit", 200);
+basicAuth("User-added bogus Authorization header with omit mode", "notuser", "notpassword", "omit", 401);
diff --git a/fetch/api/resources/utils.js b/fetch/api/resources/utils.js
@@ -1,12 +1,5 @@
-var inWorker = false;
 var RESOURCES_DIR = "../resources/";
 
-try {
-  inWorker = !(self instanceof Window);
-} catch (e) {
-  inWorker = true;
-}
-
 function dirname(path) {
     return path.replace(/\/[^\/]*$/, '/')
 }
