See https://github.com/whatwg/fetch/pull/829 for the change to the standard and https://github.com/web-platform-tests/wpt/pull/13921 for tests. It's particularly concerning that Chromium allows spaces around / in MIME types, but the other failures probably also need to be addressed given the previously agreed upon threat model.
reassign to yhirano who reviewed and approved the spec side change
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0f0e8b3b1358acc67de6d1701feb01535b8c59b9 commit 0f0e8b3b1358acc67de6d1701feb01535b8c59b9 Author: Yutaka Hirano <yhirano@chromium.org> Date: Wed Nov 14 02:06:57 2018 [CORS] Be strict on request's Content-Type Following the corresponding spec change: https://github.com/whatwg/fetch/pull/829 Bug: 902681 Change-Id: If0da598ada489417c34926935acdd3cfff519aa7 Reviewed-on: https://chromium-review.googlesource.com/c/1329815 Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#607847} [modify] https://crrev.com/0f0e8b3b1358acc67de6d1701feb01535b8c59b9/services/network/public/cpp/cors/cors.cc [modify] https://crrev.com/0f0e8b3b1358acc67de6d1701feb01535b8c59b9/services/network/public/cpp/cors/cors_unittest.cc [modify] https://crrev.com/0f0e8b3b1358acc67de6d1701feb01535b8c59b9/third_party/WebKit/LayoutTests/external/wpt/cors/cors-safelisted-request-header.any-expected.txt [modify] https://crrev.com/0f0e8b3b1358acc67de6d1701feb01535b8c59b9/third_party/WebKit/LayoutTests/external/wpt/cors/cors-safelisted-request-header.any.worker-expected.txt
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bb3ab7dd37f12b9cc28333cd7e84a89d0fd2bbb0 commit bb3ab7dd37f12b9cc28333cd7e84a89d0fd2bbb0 Author: Yutaka Hirano <yhirano@chromium.org> Date: Thu Nov 15 09:15:15 2018 Fix CORS-unsafe request-header byte Bytes greater than 0x7f should not be considered as unsafe. This CL also replaces "utf8" character conversions in blink/renderer/platform/loader/cors/cors.cc to "latin1" as it's what's done when actually converting blink::HTTPHeaderMap to net::HttpRequestHeaders. Bug: 824130 , 902681 Change-Id: I01aacf814f1fc8a3ab8f191e1a9ec2bd01c1efee Reviewed-on: https://chromium-review.googlesource.com/c/1335049 Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#608300} [modify] https://crrev.com/bb3ab7dd37f12b9cc28333cd7e84a89d0fd2bbb0/services/network/public/cpp/cors/cors.cc [modify] https://crrev.com/bb3ab7dd37f12b9cc28333cd7e84a89d0fd2bbb0/services/network/public/cpp/cors/cors_unittest.cc [modify] https://crrev.com/bb3ab7dd37f12b9cc28333cd7e84a89d0fd2bbb0/third_party/blink/renderer/platform/loader/cors/cors.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6e0f522006c33a987c97b239f21efd3e8c365e23 commit 6e0f522006c33a987c97b239f21efd3e8c365e23 Author: Rob Buis <rbuis@igalia.com> Date: Tue Nov 20 12:01:18 2018 Be strict on request's Content-Type Be strict on request's Content-Type by only allowing whitespace before type and after subtype. Behavior matches Firefox. Bug: 902681 Change-Id: Id08c0c56076c5b4aa6e335893f663b7d91229da1 Reviewed-on: https://chromium-review.googlesource.com/c/1341508 Commit-Queue: Rob Buis <rbuis@igalia.com> Reviewed-by: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#609667} [modify] https://crrev.com/6e0f522006c33a987c97b239f21efd3e8c365e23/net/base/mime_util.cc [modify] https://crrev.com/6e0f522006c33a987c97b239f21efd3e8c365e23/net/base/mime_util.h [modify] https://crrev.com/6e0f522006c33a987c97b239f21efd3e8c365e23/net/base/mime_util_unittest.cc [delete] https://crrev.com/8b5e1ba8acab3e47d274a59eccadb24501df1a76/third_party/WebKit/LayoutTests/external/wpt/cors/cors-safelisted-request-header.any-expected.txt [delete] https://crrev.com/8b5e1ba8acab3e47d274a59eccadb24501df1a76/third_party/WebKit/LayoutTests/external/wpt/cors/cors-safelisted-request-header.any.worker-expected.txt [modify] https://crrev.com/6e0f522006c33a987c97b239f21efd3e8c365e23/third_party/WebKit/LayoutTests/external/wpt/fetch/data-urls/processing.any-expected.txt [modify] https://crrev.com/6e0f522006c33a987c97b239f21efd3e8c365e23/third_party/WebKit/LayoutTests/external/wpt/fetch/data-urls/processing.any.worker-expected.txt
FYI: you want strictly HTTP whitespace here (per agreement with Matt Menke). I updated the MIME type parser definition in the standard the other day to require that.
Comment 1 by jochen@chromium.org
, Nov 8Owner: toyoshim@chromium.org
Status: Assigned (was: Unconfirmed)