diff --git a/lib/fetch/index.js b/lib/fetch/index.js index 5dab8a0532f..a42ce09c331 100644 --- a/lib/fetch/index.js +++ b/lib/fetch/index.js @@ -31,7 +31,6 @@ const { coarsenedSharedCurrentTime, createDeferredPromise, isBlobLike, - CORBCheck, sameOrigin, isCancelled, isAborted @@ -588,18 +587,8 @@ async function mainFetch (fetchParams, recursive = false) { // 2. Set request’s response tainting to "opaque". request.responseTainting = 'opaque' - // 3. Let noCorsResponse be the result of running scheme fetch given - // fetchParams. - const noCorsResponse = await schemeFetch(fetchParams) - - // 4. If noCorsResponse is a filtered response or the CORB check with - // request and noCorsResponse returns allowed, then return noCorsResponse. - if (noCorsResponse.status === 0 || CORBCheck(request, noCorsResponse) === 'allowed') { - return noCorsResponse - } - - // 5. Return a new response whose status is noCorsResponse’s status. - return makeResponse({ status: noCorsResponse.status }) + // 3. Return the result of running scheme fetch given fetchParams. + return await schemeFetch(fetchParams) } // request’s current URL’s scheme is not an HTTP(S) scheme diff --git a/lib/fetch/util.js b/lib/fetch/util.js index bfa8fdee73e..1c67f9c7c84 100644 --- a/lib/fetch/util.js +++ b/lib/fetch/util.js @@ -317,47 +317,6 @@ function sameOrigin (A, B) { return false } -// https://fetch.spec.whatwg.org/#corb-check -function CORBCheck (request, response) { - // 1. If request’s initiator is "download", then return allowed. - if (request.initiator === 'download') { - return 'allowed' - } - - // 2. If request’s current URL’s scheme is not an HTTP(S) scheme, then return allowed. - if (!/^https?$/.test(request.currentURL.scheme)) { - return 'allowed' - } - - // 3. Let mimeType be the result of extracting a MIME type from response’s header list. - const mimeType = response.headersList.get('content-type') - - // 4. If mimeType is failure, then return allowed. - if (mimeType === '') { - return 'allowed' - } - - // 5. If response’s status is 206 and mimeType is a CORB-protected MIME type, then return blocked. - - const isCORBProtectedMIME = - (/^text\/html\b/.test(mimeType) || - /^application\/javascript\b/.test(mimeType) || - /^application\/xml\b/.test(mimeType)) && !/^application\/xml\+svg\b/.test(mimeType) - - if (response.status === 206 && isCORBProtectedMIME) { - return 'blocked' - } - - // 6. If determine nosniff with response’s header list is true and mimeType is a CORB-protected MIME type or its essence is "text/plain", then return blocked. - // https://fetch.spec.whatwg.org/#determinenosniff - if (response.headersList.get('x-content-type-options') && isCORBProtectedMIME) { - return 'blocked' - } - - // 7. Return allowed. - return 'allowed' -} - function createDeferredPromise () { let res let rej @@ -430,7 +389,6 @@ module.exports = { isFileLike, isValidReasonPhrase, sameOrigin, - CORBCheck, normalizeMethod, serializeJavascriptValueToJSONString } diff --git a/test/fetch/util.js b/test/fetch/util.js index bd77ecdec84..f1f55b4c2c2 100644 --- a/test/fetch/util.js +++ b/test/fetch/util.js @@ -113,48 +113,3 @@ test('sameOrigin', (t) => { t.end() }) - -test('CORBCheck', (t) => { - const allowedRequests = [{ - initiator: 'download', - currentURL: { scheme: '' } - }, { - initiator: '', - currentURL: { scheme: 'https' } - } - ] - - const response = { headersList: { get () { return '' } } } - - allowedRequests.forEach((request) => { - t.ok(util.CORBCheck(request, response)) - }) - - t.ok(util.CORBCheck({ - initiator: '', - currentURL: { scheme: '' } - }, response)) - - const protectedResponses = [{ - status: 206, - headersList: { get () { return 'text/html' } } - }, { - status: 206, - headersList: { get () { return 'application/javascript' } } - }, { - status: 206, - headersList: { get () { return 'application/xml' } } - }, { - status: 218, - headersList: { get (type) { return type === 'content-type' ? 'text/html' : 'x-content-type-options' } } - }] - - protectedResponses.forEach(response => { - t.equal(util.CORBCheck({ - initiator: '', - currentURL: { scheme: 'https' } - }, response), 'blocked') - }) - - t.end() -})