feat(fetch): remove CORB checks (nodejs#1461)

crysmags · Feb 27, 2024 · 5e9ac02 · 5e9ac02
1 parent 2afe69e
commit 5e9ac02
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 100 deletions.
diff --git a/lib/fetch/index.js b/lib/fetch/index.js
@@ -31,7 +31,6 @@ const {
   coarsenedSharedCurrentTime,
   createDeferredPromise,
   isBlobLike,
-  CORBCheck,
   sameOrigin,
   isCancelled,
   isAborted
@@ -588,18 +587,8 @@ async function mainFetch (fetchParams, recursive = false) {
         // 2. Set request’s response tainting to "opaque".
         request.responseTainting = 'opaque'
 
-        // 3. Let noCorsResponse be the result of running scheme fetch given
-        // fetchParams.
-        const noCorsResponse = await schemeFetch(fetchParams)
-
-        // 4. If noCorsResponse is a filtered response or the CORB check with
-        // request and noCorsResponse returns allowed, then return noCorsResponse.
-        if (noCorsResponse.status === 0 || CORBCheck(request, noCorsResponse) === 'allowed') {
-          return noCorsResponse
-        }
-
-        // 5. Return a new response whose status is noCorsResponse’s status.
-        return makeResponse({ status: noCorsResponse.status })
+        // 3. Return the result of running scheme fetch given fetchParams.
+        return await schemeFetch(fetchParams)
       }
 
       // request’s current URL’s scheme is not an HTTP(S) scheme

diff --git a/lib/fetch/util.js b/lib/fetch/util.js
@@ -317,47 +317,6 @@ function sameOrigin (A, B) {
   return false
 }
 
-// https://fetch.spec.whatwg.org/#corb-check
-function CORBCheck (request, response) {
-  // 1. If request’s initiator is "download", then return allowed.
-  if (request.initiator === 'download') {
-    return 'allowed'
-  }
-
-  // 2. If request’s current URL’s scheme is not an HTTP(S) scheme, then return allowed.
-  if (!/^https?$/.test(request.currentURL.scheme)) {
-    return 'allowed'
-  }
-
-  // 3. Let mimeType be the result of extracting a MIME type from response’s header list.
-  const mimeType = response.headersList.get('content-type')
-
-  // 4. If mimeType is failure, then return allowed.
-  if (mimeType === '') {
-    return 'allowed'
-  }
-
-  // 5. If response’s status is 206 and mimeType is a CORB-protected MIME type, then return blocked.
-
-  const isCORBProtectedMIME =
-  (/^text\/html\b/.test(mimeType) ||
-  /^application\/javascript\b/.test(mimeType) ||
-  /^application\/xml\b/.test(mimeType)) && !/^application\/xml\+svg\b/.test(mimeType)
-
-  if (response.status === 206 && isCORBProtectedMIME) {
-    return 'blocked'
-  }
-
-  // 6. If determine nosniff with response’s header list is true and mimeType is a CORB-protected MIME type or its essence is "text/plain", then return blocked.
-  // https://fetch.spec.whatwg.org/#determinenosniff
-  if (response.headersList.get('x-content-type-options') && isCORBProtectedMIME) {
-    return 'blocked'
-  }
-
-  // 7. Return allowed.
-  return 'allowed'
-}
-
 function createDeferredPromise () {
   let res
   let rej
@@ -430,7 +389,6 @@ module.exports = {
   isFileLike,
   isValidReasonPhrase,
   sameOrigin,
-  CORBCheck,
   normalizeMethod,
   serializeJavascriptValueToJSONString
 }
diff --git a/test/fetch/util.js b/test/fetch/util.js
@@ -113,48 +113,3 @@ test('sameOrigin', (t) => {
 
   t.end()
 })
-
-test('CORBCheck', (t) => {
-  const allowedRequests = [{
-    initiator: 'download',
-    currentURL: { scheme: '' }
-  }, {
-    initiator: '',
-    currentURL: { scheme: 'https' }
-  }
-  ]
-
-  const response = { headersList: { get () { return '' } } }
-
-  allowedRequests.forEach((request) => {
-    t.ok(util.CORBCheck(request, response))
-  })
-
-  t.ok(util.CORBCheck({
-    initiator: '',
-    currentURL: { scheme: '' }
-  }, response))
-
-  const protectedResponses = [{
-    status: 206,
-    headersList: { get () { return 'text/html' } }
-  }, {
-    status: 206,
-    headersList: { get () { return 'application/javascript' } }
-  }, {
-    status: 206,
-    headersList: { get () { return 'application/xml' } }
-  }, {
-    status: 218,
-    headersList: { get (type) { return type === 'content-type' ? 'text/html' : 'x-content-type-options' } }
-  }]
-
-  protectedResponses.forEach(response => {
-    t.equal(util.CORBCheck({
-      initiator: '',
-      currentURL: { scheme: 'https' }
-    }, response), 'blocked')
-  })
-
-  t.end()
-})