[Fetch] Support wildcard for access-control-expose-headers

Bug: 615313
Change-Id: Ie608f427083303af5afd98e8939dcfc43a266942
Reviewed-on: https://chromium-review.googlesource.com/805395Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org>
Reviewed-by: Tsuyoshi Horo <horo@chromium.org>
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Cr-Commit-Position: refs/heads/master@{#522082}

third_party/WebKit/LayoutTests/external/wpt/fetch/api/cors/cors-expose-star-expected.txt

-This is a testharness.js-based test.
-FAIL Basic Access-Control-Expose-Headers: * support assert_equals: expected (string) "X" but got (object) null
-PASS * for credentialed fetches only matches literally
-FAIL * can be one of several values assert_equals: expected (string) "X" but got (object) null
-Harness: the test ran to completion.
-

third_party/WebKit/LayoutTests/external/wpt/fetch/api/cors/cors-expose-star-worker-expected.txt

-This is a testharness.js-based test.
-FAIL Basic Access-Control-Expose-Headers: * support assert_equals: expected (string) "X" but got (object) null
-PASS * for credentialed fetches only matches literally
-FAIL * can be one of several values assert_equals: expected (string) "X" but got (object) null
-Harness: the test ran to completion.
-

third_party/WebKit/LayoutTests/external/wpt/fetch/api/cors/cors-expose-star.js

@@ -31,7 +31,7 @@ promise_test(() => {
 }, "* for credentialed fetches only matches literally")
 
 promise_test(() => {
-  const headers =  "header(Access-Control-Allow-Origin,*)|header(Access-Control-Expose-Headers,set-cookie)"
+  const headers =  "header(Access-Control-Allow-Origin,*)|header(Access-Control-Expose-Headers,set-cookie\\,*)"
   return fetch(url + sharedHeaders + headers).then(resp => {
     assert_equals(resp.status, 200)
     assert_equals(resp.type , "cors")

third_party/WebKit/LayoutTests/external/wpt/service-workers/cache-storage/script-tests/cache-match.js

 if (self.importScripts) {
     importScripts('/resources/testharness.js');
     importScripts('../resources/test-helpers.js');
+    importScripts('/common/get-host-info.sub.js');
 }
 
 prepopulated_cache_test(simple_entries, function(cache, entries) {
@@ -318,4 +319,22 @@ cache_test(function(cache) {
         });
   }, 'Cache produces large Responses that can be cloned and read correctly.');
 
+cache_test(async (cache) => {
+    const url = get_host_info().HTTPS_REMOTE_ORIGIN +
+      '/service-workers/cache-storage/resources/simple.txt?pipe=' +
+      'header(access-control-allow-origin,*)|' +
+      'header(access-control-expose-headers,*)|' +
+      'header(foo,bar)|' +
+      'header(set-cookie,X)';
+
+    const response = await fetch(url);
+    await cache.put(new Request(url), response);
+    const cached_response = await cache.match(url);
+
+    const headers = cached_response.headers;
+    assert_equals(headers.get('access-control-expose-headers'), '*');
+    assert_equals(headers.get('foo'), 'bar');
+    assert_equals(headers.get('set-cookie'), null);
+  }, 'cors-exposed header should be stored correctly.');
+
 done();

third_party/WebKit/LayoutTests/external/wpt/service-workers/cache-storage/window/cache-match.https.html

@@ -4,5 +4,6 @@
 <meta name="timeout" content="long">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
 <script src="../resources/test-helpers.js"></script>
 <script src="../script-tests/cache-match.js"></script>

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/fetch-cors-exposed-header-names.https.html

+<!DOCTYPE html>
+<title>Service Worker: CORS-exposed header names should be transferred correctly</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/test-helpers.sub.js"></script>
+<script>
+promise_test(async function(t) {
+    const SCOPE = 'resources/simple.html';
+    const SCRIPT = 'resources/fetch-cors-exposed-header-names-worker.js';
+    const host_info = get_host_info();
+
+    const URL = get_host_info().HTTPS_REMOTE_ORIGIN +
+      '/service-workers/service-worker/resources/simple.txt?pipe=' +
+      'header(access-control-allow-origin,*)|' +
+      'header(access-control-expose-headers,*)|' +
+      'header(foo,bar)|' +
+      'header(set-cookie,X)';
+
+    const reg = await service_worker_unregister_and_register(t, SCRIPT, SCOPE);
+    await wait_for_state(t, reg.installing, 'activated');
+    const frame = await with_iframe(SCOPE);
+
+    const response = await frame.contentWindow.fetch(URL);
+    const headers = response.headers;
+    assert_equals(headers.get('foo'), 'bar');
+    assert_equals(headers.get('set-cookie'), null);
+    assert_equals(headers.get('access-control-expose-headers'), '*');
+  }, 'CORS-exposed header names for a response from sw');
+</script>

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/fetch-cors-exposed-header-names-worker.js

+self.addEventListener('fetch', (e) => {
+    e.respondWith(fetch(e.request));
+  });

third_party/WebKit/Source/core/exported/WebAssociatedURLLoaderImpl.cpp

@@ -99,6 +99,7 @@ class WebAssociatedURLLoaderImpl::ClientAdapter final
       WebAssociatedURLLoaderClient*,
       const WebAssociatedURLLoaderOptions&,
       network::mojom::FetchRequestMode,
+      network::mojom::FetchCredentialsMode,
       scoped_refptr<WebTaskRunner>);
 
   // ThreadableLoaderClient
@@ -142,6 +143,7 @@ class WebAssociatedURLLoaderImpl::ClientAdapter final
                 WebAssociatedURLLoaderClient*,
                 const WebAssociatedURLLoaderOptions&,
                 network::mojom::FetchRequestMode,
+                network::mojom::FetchCredentialsMode,
                 scoped_refptr<WebTaskRunner>);
 
   void NotifyError(TimerBase*);
@@ -150,6 +152,7 @@ class WebAssociatedURLLoaderImpl::ClientAdapter final
   WebAssociatedURLLoaderClient* client_;
   WebAssociatedURLLoaderOptions options_;
   network::mojom::FetchRequestMode fetch_request_mode_;
+  network::mojom::FetchCredentialsMode credentials_mode_;
   Optional<WebURLError> error_;
 
   TaskRunnerTimer<ClientAdapter> error_timer_;
@@ -165,9 +168,11 @@ WebAssociatedURLLoaderImpl::ClientAdapter::Create(
     WebAssociatedURLLoaderClient* client,
     const WebAssociatedURLLoaderOptions& options,
     network::mojom::FetchRequestMode fetch_request_mode,
+    network::mojom::FetchCredentialsMode credentials_mode,
     scoped_refptr<WebTaskRunner> task_runner) {
   return WTF::WrapUnique(new ClientAdapter(loader, client, options,
-                                           fetch_request_mode, task_runner));
+                                           fetch_request_mode, credentials_mode,
+                                           task_runner));
 }
 
 WebAssociatedURLLoaderImpl::ClientAdapter::ClientAdapter(
@@ -175,11 +180,13 @@ WebAssociatedURLLoaderImpl::ClientAdapter::ClientAdapter(
     WebAssociatedURLLoaderClient* client,
     const WebAssociatedURLLoaderOptions& options,
     network::mojom::FetchRequestMode fetch_request_mode,
+    network::mojom::FetchCredentialsMode credentials_mode,
     scoped_refptr<WebTaskRunner> task_runner)
     : loader_(loader),
       client_(client),
       options_(options),
       fetch_request_mode_(fetch_request_mode),
+      credentials_mode_(credentials_mode),
       error_timer_(std::move(task_runner), this, &ClientAdapter::NotifyError),
       enable_error_notifications_(false),
       did_fail_(false) {
@@ -226,9 +233,8 @@ void WebAssociatedURLLoaderImpl::ClientAdapter::DidReceiveResponse(
     return;
   }
 
-  WebHTTPHeaderSet exposed_headers;
-  WebCORS::ExtractCorsExposedHeaderNamesList(WrappedResourceResponse(response),
-                                             exposed_headers);
+  WebHTTPHeaderSet exposed_headers = WebCORS::ExtractCorsExposedHeaderNamesList(
+      credentials_mode_, WrappedResourceResponse(response));
   WebHTTPHeaderSet blocked_headers;
   for (const auto& header : response.HttpHeaderFields()) {
     if (FetchUtils::IsForbiddenResponseHeaderName(header.key) ||
@@ -397,9 +403,9 @@ void WebAssociatedURLLoaderImpl::LoadAsynchronously(
     task_runner = Platform::Current()->CurrentThread()->GetWebTaskRunner();
   }
   client_ = client;
-  client_adapter_ = ClientAdapter::Create(this, client, options_,
-                                          request.GetFetchRequestMode(),
-                                          std::move(task_runner));
+  client_adapter_ = ClientAdapter::Create(
+      this, client, options_, request.GetFetchRequestMode(),
+      request.GetFetchCredentialsMode(), std::move(task_runner));
 
   if (allow_load) {
     ThreadableLoaderOptions options;

third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp

@@ -1456,9 +1456,11 @@ String XMLHttpRequest::getAllResponseHeaders() const {
 
   StringBuilder string_builder;
 
-  WebHTTPHeaderSet access_control_expose_header_set;
-  WebCORS::ExtractCorsExposedHeaderNamesList(WrappedResourceResponse(response_),
-                                             access_control_expose_header_set);
+  WebHTTPHeaderSet access_control_expose_header_set =
+      WebCORS::ExtractCorsExposedHeaderNamesList(
+          with_credentials_ ? network::mojom::FetchCredentialsMode::kInclude
+                            : network::mojom::FetchCredentialsMode::kSameOrigin,
+          WrappedResourceResponse(response_));
 
   HTTPHeaderMap::const_iterator end = response_.HttpHeaderFields().end();
   for (HTTPHeaderMap::const_iterator it = response_.HttpHeaderFields().begin();
@@ -1502,9 +1504,11 @@ const AtomicString& XMLHttpRequest::getResponseHeader(
     return g_null_atom;
   }
 
-  WebHTTPHeaderSet access_control_expose_header_set;
-  WebCORS::ExtractCorsExposedHeaderNamesList(WrappedResourceResponse(response_),
-                                             access_control_expose_header_set);
+  WebHTTPHeaderSet access_control_expose_header_set =
+      WebCORS::ExtractCorsExposedHeaderNamesList(
+          with_credentials_ ? network::mojom::FetchCredentialsMode::kInclude
+                            : network::mojom::FetchCredentialsMode::kSameOrigin,
+          WrappedResourceResponse(response_));
 
   if (!same_origin_request_ &&
       !WebCORS::IsOnAccessControlResponseHeaderWhitelist(name) &&

third_party/WebKit/Source/modules/fetch/FetchManager.cpp

@@ -474,9 +474,9 @@ void FetchManager::Loader::DidReceiveResponse(
         tainted_response = response_data->CreateBasicFilteredResponse();
         break;
       case FetchRequestData::kCORSTainting: {
-        WebHTTPHeaderSet header_names;
-        WebCORS::ExtractCorsExposedHeaderNamesList(
-            WrappedResourceResponse(response), header_names);
+        WebHTTPHeaderSet header_names =
+            WebCORS::ExtractCorsExposedHeaderNamesList(
+                request_->Credentials(), WrappedResourceResponse(response));
         tainted_response =
             response_data->CreateCORSFilteredResponse(header_names);
         break;

third_party/WebKit/Source/modules/fetch/FetchResponseData.cpp

@@ -70,18 +70,6 @@ FetchResponseData* FetchResponseData::CreateBasicFilteredResponse() const {
   return response;
 }
 
-FetchResponseData* FetchResponseData::CreateCORSFilteredResponse() const {
-  DCHECK_EQ(type_, Type::kDefault);
-  WebHTTPHeaderSet access_control_expose_header_set;
-  String access_control_expose_headers;
-  if (header_list_->Get(HTTPNames::Access_Control_Expose_Headers,
-                        access_control_expose_headers)) {
-    WebCORS::ParseAccessControlExposeHeadersAllowList(
-        access_control_expose_headers, access_control_expose_header_set);
-  }
-  return CreateCORSFilteredResponse(access_control_expose_header_set);
-}
-
 FetchResponseData* FetchResponseData::CreateCORSFilteredResponse(
     const WebHTTPHeaderSet& exposed_headers) const {
   DCHECK_EQ(type_, Type::kDefault);
@@ -97,18 +85,13 @@ FetchResponseData* FetchResponseData::CreateCORSFilteredResponse(
   response->SetURLList(url_list_);
   for (const auto& header : header_list_->List()) {
     const String& name = header.first;
-    const bool explicitly_exposed =
-        exposed_headers.find(name.Ascii().data()) != exposed_headers.end();
     if (WebCORS::IsOnAccessControlResponseHeaderWhitelist(name) ||
-        (explicitly_exposed &&
+        (exposed_headers.find(name.Ascii().data()) != exposed_headers.end() &&
          !FetchUtils::IsForbiddenResponseHeaderName(name))) {
-      if (explicitly_exposed) {
-        response->cors_exposed_header_names_.emplace(name.Ascii().data(),
-                                                     name.Ascii().length());
-      }
       response->header_list_->Append(name, header.second);
     }
   }
+  response->cors_exposed_header_names_ = exposed_headers;
   response->buffer_ = buffer_;
   response->mime_type_ = mime_type_;
   response->internal_response_ = const_cast<FetchResponseData*>(this);

third_party/WebKit/Source/modules/fetch/FetchResponseData.h

@@ -43,12 +43,6 @@ class MODULES_EXPORT FetchResponseData final
   static FetchResponseData* CreateWithBuffer(BodyStreamBuffer*);
 
   FetchResponseData* CreateBasicFilteredResponse() const;
-  // Creates a CORS filtered response, settings the response's cors exposed
-  // header names list to the result of parsing the
-  // Access-Control-Expose-Headers header.
-  FetchResponseData* CreateCORSFilteredResponse() const;
-  // Creates a CORS filtered response with an explicit set of exposed header
-  // names.
   FetchResponseData* CreateCORSFilteredResponse(
       const WebHTTPHeaderSet& exposed_headers) const;
   FetchResponseData* CreateOpaqueFilteredResponse() const;

third_party/WebKit/Source/modules/fetch/FetchResponseDataTest.cpp

@@ -100,7 +100,7 @@ TEST_F(FetchResponseDataTest, ToWebServiceWorkerBasicType) {
 TEST_F(FetchResponseDataTest, CORSFilter) {
   FetchResponseData* internal_response = CreateInternalResponse();
   FetchResponseData* cors_response_data =
-      internal_response->CreateCORSFilteredResponse();
+      internal_response->CreateCORSFilteredResponse(WebHTTPHeaderSet());
 
   EXPECT_EQ(internal_response, cors_response_data->InternalResponse());
 
@@ -122,7 +122,7 @@ TEST_F(FetchResponseDataTest,
                                           "set-cookie, bar");
 
   FetchResponseData* cors_response_data =
-      internal_response->CreateCORSFilteredResponse();
+      internal_response->CreateCORSFilteredResponse({"set-cookie", "bar"});
 
   EXPECT_EQ(internal_response, cors_response_data->InternalResponse());
 
@@ -197,7 +197,7 @@ TEST_F(FetchResponseDataTest, ToWebServiceWorkerCORSType) {
   WebServiceWorkerResponse web_response;
   FetchResponseData* internal_response = CreateInternalResponse();
   FetchResponseData* cors_response_data =
-      internal_response->CreateCORSFilteredResponse();
+      internal_response->CreateCORSFilteredResponse(WebHTTPHeaderSet());
 
   cors_response_data->PopulateWebServiceWorkerResponse(web_response);
   EXPECT_EQ(network::mojom::FetchResponseType::kCORS,

third_party/WebKit/Source/modules/fetch/ResponseTest.cpp

@@ -263,7 +263,7 @@ TEST(ServiceWorkerResponseTest, BodyStreamBufferCloneCORS) {
   Vector<KURL> url_list;
   url_list.push_back(KURL("http://www.response.com"));
   fetch_response_data->SetURLList(url_list);
-  fetch_response_data = fetch_response_data->CreateCORSFilteredResponse();
+  fetch_response_data = fetch_response_data->CreateCORSFilteredResponse({});
   Response* response =
       Response::Create(scope.GetExecutionContext(), fetch_response_data);
   EXPECT_EQ(response->InternalBodyBuffer(), buffer);

third_party/WebKit/Source/platform/exported/WebCORS.cpp

@@ -32,6 +32,7 @@
 #include "platform/loader/fetch/FetchUtils.h"
 #include "platform/loader/fetch/ResourceLoaderOptions.h"
 #include "platform/loader/fetch/ResourceRequest.h"
+#include "platform/loader/fetch/ResourceResponse.h"
 #include "platform/network/http_names.h"
 #include "platform/weborigin/KURL.h"
 #include "platform/weborigin/SchemeRegistry.h"
@@ -513,27 +514,35 @@ WebString GetErrorString(const CORSError error,
   return WebString();
 }
 
-void ExtractCorsExposedHeaderNamesList(const WebURLResponse& response,
-                                       WebHTTPHeaderSet& header_set) {
+WebHTTPHeaderSet ExtractCorsExposedHeaderNamesList(
+    network::mojom::FetchCredentialsMode credentials_mode,
+    const WebURLResponse& response) {
   // If a response was fetched via a service worker, it will always have
   // CorsExposedHeaderNames set from the Access-Control-Expose-Headers header.
   // For requests that didn't come from a service worker, just parse the CORS
   // header.
   if (response.WasFetchedViaServiceWorker()) {
+    WebHTTPHeaderSet header_set;
     for (const auto& header : response.CorsExposedHeaderNames())
       header_set.emplace(header.Ascii().data(), header.Ascii().length());
-    return;
+    return header_set;
   }
-  ParseAccessControlExposeHeadersAllowList(
-      response.HttpHeaderField(
-          WebString(HTTPNames::Access_Control_Expose_Headers)),
-      header_set);
-}
 
-void ParseAccessControlExposeHeadersAllowList(const WebString& header_value,
-                                              WebHTTPHeaderSet& header_set) {
-  HTTPHeaderNameListParser parser(header_value);
+  WebHTTPHeaderSet header_set;
+  HTTPHeaderNameListParser parser(response.HttpHeaderField(
+      WebString(HTTPNames::Access_Control_Expose_Headers)));
   parser.Parse(header_set);
+
+  if (credentials_mode != network::mojom::FetchCredentialsMode::kInclude &&
+      header_set.find("*") != header_set.end()) {
+    header_set.clear();
+    for (const auto& header :
+         response.ToResourceResponse().HttpHeaderFields()) {
+      CString name = header.key.Ascii();
+      header_set.emplace(name.data(), name.length());
+    }
+  }
+  return header_set;
 }
 
 bool IsOnAccessControlResponseHeaderWhitelist(const WebString& name) {

third_party/WebKit/Source/platform/exported/WebCORSTest.cpp

@@ -4,7 +4,9 @@
 
 #include "public/platform/WebCORS.h"
 
+#include "platform/exported/WrappedResourceResponse.h"
 #include "platform/loader/fetch/ResourceRequest.h"
+#include "platform/loader/fetch/ResourceResponse.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -12,6 +14,20 @@ namespace blink {
 
 namespace {
 
+class CORSExposedHeadersTest : public ::testing::Test {
+ public:
+  using CredentialsMode = network::mojom::FetchCredentialsMode;
+
+  WebHTTPHeaderSet Parse(CredentialsMode credentials_mode,
+                         const AtomicString& header) const {
+    ResourceResponse response;
+    response.AddHTTPHeaderField("access-control-expose-headers", header);
+
+    return WebCORS::ExtractCorsExposedHeaderNamesList(
+        credentials_mode, WrappedResourceResponse(response));
+  }
+};
+
 TEST(CreateAccessControlPreflightRequestTest, LexicographicalOrder) {
   WebURLRequest request;
   request.AddHTTPHeaderField("Orange", "Orange");
@@ -79,85 +95,81 @@ TEST(CreateAccessControlPreflightRequestTest,
             preflight.HttpHeaderField("Access-Control-Request-Headers"));
 }
 
-TEST(ParseAccessControlExposeHeadersAllowListTest, ValidInput) {
-  WebHTTPHeaderSet set;
-  WebCORS::ParseAccessControlExposeHeadersAllowList("valid", set);
-  EXPECT_EQ(1U, set.size());
-  EXPECT_TRUE(set.find("valid") != set.end());
-
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList("a,b", set);
-  EXPECT_EQ(2U, set.size());
-  EXPECT_TRUE(set.find("a") != set.end());
-  EXPECT_TRUE(set.find("b") != set.end());
-
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList("   a ,  b ", set);
-  EXPECT_EQ(2U, set.size());
-  EXPECT_TRUE(set.find("a") != set.end());
-  EXPECT_TRUE(set.find("b") != set.end());
-
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList(" \t   \t\t a", set);
-  EXPECT_EQ(1U, set.size());
-  EXPECT_TRUE(set.find("a") != set.end());
+TEST_F(CORSExposedHeadersTest, ValidInput) {
+  EXPECT_EQ(Parse(CredentialsMode::kOmit, "valid"),
+            WebHTTPHeaderSet({"valid"}));
+
+  EXPECT_EQ(Parse(CredentialsMode::kOmit, "a,b"), WebHTTPHeaderSet({"a", "b"}));
+
+  EXPECT_EQ(Parse(CredentialsMode::kOmit, "   a ,  b "),
+            WebHTTPHeaderSet({"a", "b"}));
+
+  EXPECT_EQ(Parse(CredentialsMode::kOmit, " \t   \t\t a"),
+            WebHTTPHeaderSet({"a"}));
 }
 
-TEST(ParseAccessControlExposeHeadersAllowListTest, DuplicatedEntries) {
-  WebHTTPHeaderSet set;
-  WebCORS::ParseAccessControlExposeHeadersAllowList("a, a", set);
-  EXPECT_EQ(1U, set.size());
-  EXPECT_TRUE(set.find("a") != set.end());
-
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList("a, a, b", set);
-  EXPECT_EQ(2U, set.size());
-  EXPECT_TRUE(set.find("a") != set.end());
-  EXPECT_TRUE(set.find("b") != set.end());
+TEST_F(CORSExposedHeadersTest, DuplicatedEntries) {
+  EXPECT_EQ(Parse(CredentialsMode::kOmit, "a, a"), WebHTTPHeaderSet{"a"});
+
+  EXPECT_EQ(Parse(CredentialsMode::kOmit, "a, a, b"),
+            WebHTTPHeaderSet({"a", "b"}));
 }
 
-TEST(ParseAccessControlExposeHeadersAllowListTest, InvalidInput) {
-  WebHTTPHeaderSet set;
-  WebCORS::ParseAccessControlExposeHeadersAllowList("not valid", set);
-  EXPECT_TRUE(set.empty());
+TEST_F(CORSExposedHeadersTest, InvalidInput) {
+  EXPECT_TRUE(Parse(CredentialsMode::kOmit, "not valid").empty());
 
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList("///", set);
-  EXPECT_TRUE(set.empty());
+  EXPECT_TRUE(Parse(CredentialsMode::kOmit, "///").empty());
 
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList("/a/", set);
-  EXPECT_TRUE(set.empty());
+  EXPECT_TRUE(Parse(CredentialsMode::kOmit, "/a/").empty());
 
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList(",", set);
-  EXPECT_TRUE(set.empty());
+  EXPECT_TRUE(Parse(CredentialsMode::kOmit, ",").empty());
 
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList(" , ", set);
-  EXPECT_TRUE(set.empty());
+  EXPECT_TRUE(Parse(CredentialsMode::kOmit, " , ").empty());
 
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList(" , a", set);
-  EXPECT_TRUE(set.empty());
+  EXPECT_TRUE(Parse(CredentialsMode::kOmit, " , a").empty());
 
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList("a , ", set);
-  EXPECT_TRUE(set.empty());
+  EXPECT_TRUE(Parse(CredentialsMode::kOmit, "a , ").empty());
 
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList("", set);
-  EXPECT_TRUE(set.empty());
+  EXPECT_TRUE(Parse(CredentialsMode::kOmit, "").empty());
 
-  set.clear();
-  WebCORS::ParseAccessControlExposeHeadersAllowList(" ", set);
-  EXPECT_TRUE(set.empty());
+  EXPECT_TRUE(Parse(CredentialsMode::kOmit, " ").empty());
 
-  set.clear();
   // U+0141 which is 'A' (0x41) + 0x100.
-  WebCORS::ParseAccessControlExposeHeadersAllowList(
-      String::FromUTF8("\xC5\x81"), set);
-  EXPECT_TRUE(set.empty());
+  EXPECT_TRUE(
+      Parse(CredentialsMode::kOmit, AtomicString(String::FromUTF8("\xC5\x81")))
+          .empty());
+}
+
+TEST_F(CORSExposedHeadersTest, Wildcard) {
+  ResourceResponse response;
+  response.AddHTTPHeaderField("access-control-expose-headers", "a, b, *");
+  response.AddHTTPHeaderField("b", "-");
+  response.AddHTTPHeaderField("c", "-");
+  response.AddHTTPHeaderField("d", "-");
+  response.AddHTTPHeaderField("*", "-");
+
+  EXPECT_EQ(
+      WebCORS::ExtractCorsExposedHeaderNamesList(
+          CredentialsMode::kOmit, WrappedResourceResponse(response)),
+      WebHTTPHeaderSet({"access-control-expose-headers", "b", "c", "d", "*"}));
+
+  EXPECT_EQ(
+      WebCORS::ExtractCorsExposedHeaderNamesList(
+          CredentialsMode::kSameOrigin, WrappedResourceResponse(response)),
+      WebHTTPHeaderSet({"access-control-expose-headers", "b", "c", "d", "*"}));
+}
+
+TEST_F(CORSExposedHeadersTest, Asterisk) {
+  ResourceResponse response;
+  response.AddHTTPHeaderField("access-control-expose-headers", "a, b, *");
+  response.AddHTTPHeaderField("b", "-");
+  response.AddHTTPHeaderField("c", "-");
+  response.AddHTTPHeaderField("d", "-");
+  response.AddHTTPHeaderField("*", "-");
+
+  EXPECT_EQ(WebCORS::ExtractCorsExposedHeaderNamesList(
+                CredentialsMode::kInclude, WrappedResourceResponse(response)),
+            WebHTTPHeaderSet({"a", "b", "*"}));
 }
 
 }  // namespace

third_party/WebKit/public/platform/WebCORS.h

@@ -34,6 +34,7 @@
 #include "public/platform/WebURL.h"
 #include "public/platform/WebURLRequest.h"
 #include "services/network/public/interfaces/cors.mojom-shared.h"
+#include "services/network/public/interfaces/fetch_api.mojom-shared.h"
 
 namespace blink {
 
@@ -105,13 +106,9 @@ GetErrorString(const network::mojom::CORSError,
                const WebSecurityOrigin&,
                const WebURLRequest::RequestContext);
 
-BLINK_PLATFORM_EXPORT void ParseAccessControlExposeHeadersAllowList(
-    const WebString&,
-    WebHTTPHeaderSet&);
-
-BLINK_PLATFORM_EXPORT void ExtractCorsExposedHeaderNamesList(
-    const WebURLResponse&,
-    WebHTTPHeaderSet&);
+BLINK_PLATFORM_EXPORT WebHTTPHeaderSet
+ExtractCorsExposedHeaderNamesList(network::mojom::FetchCredentialsMode,
+                                  const WebURLResponse&);
 
 BLINK_PLATFORM_EXPORT bool IsOnAccessControlResponseHeaderWhitelist(
     const WebString&);