Don't stop parsing after invalid elements in Access-Control-Allow-Headers
#219
+2
−6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ders This behaviour matches other CORS headers and fixes a parsing bug. As per https://httpwg.org/specs/rfc9110.html#abnf.extension, empty elements in the header are allowed, but previously this function would incorrectly finish the iterator due to take_while being used. Signed-off-by: Simon Wülker <[email protected]>
|
I'm not sure what the process for requesting a new release for this crate is, but it would be nice to have a new patch release when this is merged. |
github-merge-queue bot
pushed a commit
to servo/servo
that referenced
this pull request
Sep 11, 2025
I added these comments while debugging `cors/request-headers.htm`. Ultimately the bug turned out to be outside of servo, so we have to wait for hyperium/headers#219. Since that PR might take a while to merge I'd like to add these on their own. Signed-off-by: Simon Wülker <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This behaviour matches other CORS headers like
Access-Control-Allow-Headersand fixes a parsing bug.As per https://httpwg.org/specs/rfc9110.html#abnf.extension, empty elements in the header are allowed, but previously
AccessControlAllowHeaders::iterwould incorrectly finish the returned iterator early due totake_whilebeing used.Technically, invalid elements in the header should cause an error, but this is not possible with the current interface (which parses the header incrementally as the iterator is advanced) and there's an argument to be made that relaxed parsing is fine too.
For context, this bug causes a WPT failure for servo in
cors/request-headers.htm(See wpt.fyi). The test attempts to use,y-lol,x-PriNT, ,,,Y-PRINTas a value forAccess-Control-Allow-Headers(whose ABNF is#field-name1).Footnotes
https://fetch.spec.whatwg.org/#http-new-header-syntax ↩