Allow range header without preflight

[jakearchibald]

Fixes #1310.

• At least two implementers are interested (and none opposed):
  • Chromium
  • Mozilla
• Tests are written and can be reviewed and commented upon at:
  • Add tests for safelisting simple range headers from preflight web-platform-tests/wpt#31058
• Implementation bugs are filed:
  • Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1255711
  • Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1733981
  • Safari: https://bugs.webkit.org/show_bug.cgi?id=231174
• Security review

---

Preview | Diff

[annevk]

Can we consolidate with https://wicg.github.io/background-fetch/#extract-content-range-values-algorithm perhaps? (I realize there are delimiter differences, but perhaps they can be abstracted somehow. See also WICG/background-fetch#157.)

The other thing that might help is to use isomorphic decode, so you can operate on a string. That removes the need for state and allows for using Infra's "collect a sequence" algorithms.

[jakearchibald]

@annevk I'm not sure how useful it is to consolidate with Content-Range, since the format is pretty different.

• ^bytes \d+-\d+/(\*|\d+)$ - simple Content-Range
• ^bytes=\d+-\d*$ - simple Range

I think it'd be confusing to try and combine the two.

I'll look at defining this using "collect a sequence", or would you rather I used the ABNF style from background-fetch?

[annevk]

Fair about combining. They are a bit more different than I thought. Implementers (at least Matt Menke) seem to prefer algorithms over ABNF and that's also the style I've used for the other header parsers thus far so I guess we should stick with that. Also, ABNF often leads to implementations that approximate the parser requirements in my experience.

[jakearchibald]

@annevk cool, I've rewritten it using "collecting a sequence of code points", it's much easier to read now.

[annevk]

Thanks, this looks very readable indeed.

[jakearchibald]

Ugh, I just realised it's bytes= rather than bytes . It's Content-Range that uses bytes . I've fixed up the range-setting algorithm too, but I'm happy to make that a different PR.

[jakearchibald]

This PR aims to allow, without requiring a preflight, CORS requests with a Range header similar to those the browser would send when downloading media or a resumable download.

When requesting media, browsers will typically request ranges like bytes=123456-789012, to target things like metadata in the resource, and bytes=0- for the initial media download.

When resuming the download of files, browsers will typically just use the initial range, like bytes=123-.

However, there are a few novel requests that this PR enables:

• Ranges outside the length of the resource. This includes cases where the server cannot determine the resources content length (eg it's still being created).
• Tiny ranges, eg bytes=123-123. I don't think browsers do this.
• Range along with a POST request. Downloads can be initiated via a POST request, but browsers will not send a Range header in these cases.
• Range and Origin headers on a GET request. We already include Origin with POST requests, but not GET unless it's a CORS request.
• Combining Range with unusual values in other safe-listed headers, such as accept: whatever.

Only "ranges outside the length of the resource" makes me raise an eyebrow, so I'd like a second opinion on that.

[annevk]

Thanks for the analysis! Modulo some final nits this looks good to me now. I wonder if @mikewest, @yutakahirano, and @youennf can help out with additional security review.

(This also ends up fixing #1265 now. It seems okay to include the fix for that here, as long as we indicate it in the final commit message.)

[jakearchibald]

(This also ends up fixing #1265 now. It seems okay to include the fix for that here, as long as we indicate it in the final commit message.)

Ah, sorry I missed that original issue.

[yutakahirano]

LGTM

[jakearchibald]

@rayankans over to you for the tests

[rayankans]

I created a PR for the tests here: web-platform-tests/wpt#31058

[annevk]

I'm comfortable with merging this once we have implementation bugs.

[jakearchibald]

Implementation bugs added.

Commit message:

---

Allow particular Range header values without a preflight.

The allowed format aligns with the values the browser uses when requesting media and resuming downloads.
Spec discussion: #1310
Spec PR: #1312
Tests PR: web-platform-tests/wpt#31058

[annevk]

Thanks all!