From 8b74d7185a39413750503c5a7b0d6890e1bf8d28 Mon Sep 17 00:00:00 2001 From: 39zde Date: Mon, 14 Oct 2024 19:48:38 +0200 Subject: [PATCH 1/3] fix typos --- src/byte_str.rs | 2 +- src/extensions.rs | 2 +- src/header/name.rs | 6 +++--- src/uri/authority.rs | 2 +- src/uri/scheme.rs | 6 +++--- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/byte_str.rs b/src/byte_str.rs index 181ced9e..90872ecb 100644 --- a/src/byte_str.rs +++ b/src/byte_str.rs @@ -31,7 +31,7 @@ impl ByteStr { /// /// ## Safety /// `bytes` must contain valid UTF-8. In a release build it is undefined - /// behaviour to call this with `bytes` that is not valid UTF-8. + /// behavior to call this with `bytes` that is not valid UTF-8. pub unsafe fn from_utf8_unchecked(bytes: Bytes) -> ByteStr { if cfg!(debug_assertions) { match str::from_utf8(&bytes) { diff --git a/src/extensions.rs b/src/extensions.rs index 3764a558..c41bbfc3 100644 --- a/src/extensions.rs +++ b/src/extensions.rs @@ -215,7 +215,7 @@ impl Extensions { self.map.as_ref().map_or(true, |map| map.is_empty()) } - /// Get the numer of extensions available. + /// Get the number of extensions available. /// /// # Example /// diff --git a/src/header/name.rs b/src/header/name.rs index 09af1da1..3d563f4e 100644 --- a/src/header/name.rs +++ b/src/header/name.rs @@ -1659,13 +1659,13 @@ const SCRATCH_BUF_OVERFLOW: usize = SCRATCH_BUF_SIZE + 1; fn uninit_u8_array() -> [MaybeUninit; SCRATCH_BUF_SIZE] { let arr = MaybeUninit::<[MaybeUninit; SCRATCH_BUF_SIZE]>::uninit(); // Safety: assume_init() is claiming that an array of MaybeUninit<> - // has been initilized, but MaybeUninit<>'s do not require initilizaton. + // has been initialized, but MaybeUninit<>'s do not require initialization. unsafe { arr.assume_init() } } -// Assuming all the elements are initilized, get a slice of them. +// Assuming all the elements are initialized, get a slice of them. // -// Safety: All elements of `slice` must be initilized to prevent +// Safety: All elements of `slice` must be initialized to prevent // undefined behavior. unsafe fn slice_assume_init(slice: &[MaybeUninit]) -> &[T] { &*(slice as *const [MaybeUninit] as *const [T]) diff --git a/src/uri/authority.rs b/src/uri/authority.rs index dab6dcd0..07aa6795 100644 --- a/src/uri/authority.rs +++ b/src/uri/authority.rs @@ -24,7 +24,7 @@ impl Authority { // Not public while `bytes` is unstable. pub(super) fn from_shared(s: Bytes) -> Result { // Precondition on create_authority: trivially satisfied by the - // identity clousre + // identity closure create_authority(s, |s| s) } diff --git a/src/uri/scheme.rs b/src/uri/scheme.rs index c33ec41a..dbcc8c3f 100644 --- a/src/uri/scheme.rs +++ b/src/uri/scheme.rs @@ -302,7 +302,7 @@ impl Scheme2 { // Return scheme return Ok(Scheme2::Other(i)); } - // Invald scheme character, abort + // Invalid scheme character, abort 0 => break, _ => {} } @@ -349,10 +349,10 @@ mod test { #[test] fn invalid_scheme_is_error() { - Scheme::try_from("my_funky_scheme").expect_err("Unexpectly valid Scheme"); + Scheme::try_from("my_funky_scheme").expect_err("Unexpectedly valid Scheme"); // Invalid UTF-8 - Scheme::try_from([0xC0].as_ref()).expect_err("Unexpectly valid Scheme"); + Scheme::try_from([0xC0].as_ref()).expect_err("Unexpectedly valid Scheme"); } fn scheme(s: &str) -> Scheme { From 1da5436cdf09004d98b9aa673126bb2466bf89ad Mon Sep 17 00:00:00 2001 From: 39zde Date: Mon, 14 Oct 2024 21:48:06 +0200 Subject: [PATCH 2/3] add missing headers --- benches/src/header_map/basic.rs | 3 +++ src/header/mod.rs | 3 +++ src/header/name.rs | 28 +++++++++++++++++++++++++++ tests/header_map.rs | 3 +++ tests/header_map_fuzz.rs | 3 +++ util/src/main.rs | 34 +++++++++++++++++++++++++++++++++ 6 files changed, 74 insertions(+) diff --git a/benches/src/header_map/basic.rs b/benches/src/header_map/basic.rs index 8c198a02..e42632f6 100644 --- a/benches/src/header_map/basic.rs +++ b/benches/src/header_map/basic.rs @@ -549,6 +549,9 @@ const STD: &'static [HeaderName] = &[ CONTENT_SECURITY_POLICY_REPORT_ONLY, CONTENT_TYPE, COOKIE, + CROSS_ORIGIN_EMBEDDER_POLICY, + CROSS_ORIGIN_OPENER_POLICY, + CROSS_ORIGIN_RESOURCE_POLICY, DNT, DATE, ETAG, diff --git a/src/header/mod.rs b/src/header/mod.rs index 5d405767..70f3dc64 100644 --- a/src/header/mod.rs +++ b/src/header/mod.rs @@ -116,6 +116,9 @@ pub use self::name::{ CONTENT_SECURITY_POLICY_REPORT_ONLY, CONTENT_TYPE, COOKIE, + CROSS_ORIGIN_EMBEDDER_POLICY, + CROSS_ORIGIN_OPENER_POLICY, + CROSS_ORIGIN_RESOURCE_POLICY, DNT, DATE, ETAG, diff --git a/src/header/name.rs b/src/header/name.rs index 3d563f4e..5caeffb1 100644 --- a/src/header/name.rs +++ b/src/header/name.rs @@ -476,6 +476,34 @@ standard_headers! { /// the browser are set to block them, for example. (Cookie, COOKIE, b"cookie"); + /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures + /// embedding cross-origin resources into the document. + /// + /// You can only access certain features like SharedArrayBuffer objects or + /// Performance.now() with unthrottled timers, if your document has a COEP + /// header with a value of require-corp or credentialless set. + (CrossOriginEmbedderPolicy,CROSS_ORIGIN_EMBEDDER_POLICY,b"cross-origin-embedder-policy"); + + /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you + /// to ensure a top-level document does not share a browsing context group + /// with cross-origin documents. + /// + /// COOP will process-isolate your document and potential attackers can't + /// access your global object if they were to open it in a popup, + /// preventing a set of cross-origin attacks dubbed XS-Leaks. + /// + /// If a cross-origin document with COOP is opened in a new window, the + /// opening document will not have a reference to it, and the + /// window.opener property of the new window will be null. This allows + /// you to have more control over references to a window than + /// rel=noopener, which only affects outgoing navigations. + (CrossOriginOpenerPolicy,CROSS_ORIGIN_OPENER_POLICY,b"cross-origin-opener-policy"); + + /// The HTTP Cross-Origin-Resource-Policy response header conveys a + /// desire that the browser blocks no-cors cross-origin/cross-site + /// requests to the given resource. + (CrossOriginResourcePolicy,CROSS_ORIGIN_RESOURCE_POLICY,b"cross-origin-resource-policy"); + /// Indicates the client's tracking preference. /// /// This header lets users indicate whether they would prefer privacy rather diff --git a/tests/header_map.rs b/tests/header_map.rs index 9859b0a8..c31d8905 100644 --- a/tests/header_map.rs +++ b/tests/header_map.rs @@ -359,6 +359,9 @@ const STD: &'static [HeaderName] = &[ CONTENT_SECURITY_POLICY_REPORT_ONLY, CONTENT_TYPE, COOKIE, + CROSS_ORIGIN_EMBEDDER_POLICY, + CROSS_ORIGIN_OPENER_POLICY, + CROSS_ORIGIN_RESOURCE_POLICY, DNT, DATE, ETAG, diff --git a/tests/header_map_fuzz.rs b/tests/header_map_fuzz.rs index 40db0494..dd85e523 100644 --- a/tests/header_map_fuzz.rs +++ b/tests/header_map_fuzz.rs @@ -285,6 +285,9 @@ fn gen_header_name(g: &mut StdRng) -> HeaderName { header::CONTENT_SECURITY_POLICY_REPORT_ONLY, header::CONTENT_TYPE, header::COOKIE, + header::CROSS_ORIGIN_EMBEDDER_POLICY, + header::CROSS_ORIGIN_OPENER_POLICY, + header::CROSS_ORIGIN_RESOURCE_POLICY, header::DNT, header::DATE, header::ETAG, diff --git a/util/src/main.rs b/util/src/main.rs index 915cf0b8..fb404d49 100644 --- a/util/src/main.rs +++ b/util/src/main.rs @@ -407,6 +407,40 @@ standard_headers! { "#, "cookie"; + r#" + /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures + /// embedding cross-origin resources into the document. + /// + /// You can only access certain features like SharedArrayBuffer objects or + /// Performance.now() with unthrottled timers, if your document has a COEP + /// header with a value of require-corp or credentialless set. + "#, + "cross-origin-embedder-policy"; + + r#" + /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you + /// to ensure a top-level document does not share a browsing context group + /// with cross-origin documents. + /// + /// COOP will process-isolate your document and potential attackers can't + /// access your global object if they were to open it in a popup, + /// preventing a set of cross-origin attacks dubbed XS-Leaks. + /// + /// If a cross-origin document with COOP is opened in a new window, the + /// opening document will not have a reference to it, and the + /// window.opener property of the new window will be null. This allows + /// you to have more control over references to a window than + /// rel=noopener, which only affects outgoing navigations. + "#, + "cross-origin-opener-policy"; + + r#" + /// The HTTP Cross-Origin-Resource-Policy response header conveys a + /// desire that the browser blocks no-cors cross-origin/cross-site + /// requests to the given resource. + "#, + "cross-origin-resource-policy"; + r#" /// Indicates the client's tracking preference. /// From 3fcdbd45a03589b0446e286613d16c8b0e23f30b Mon Sep 17 00:00:00 2001 From: 39zde Date: Mon, 14 Oct 2024 22:24:02 +0200 Subject: [PATCH 3/3] add headers to header name lists --- benches/src/header_name.rs | 6 ++++++ benches/src/header_name2.rs | 1 + 2 files changed, 7 insertions(+) diff --git a/benches/src/header_name.rs b/benches/src/header_name.rs index 4249f987..5b50dc45 100644 --- a/benches/src/header_name.rs +++ b/benches/src/header_name.rs @@ -115,6 +115,9 @@ fn make_all_known_headers() -> Vec> { b"X-Frame-Options".to_vec(), // common_non_standard_response b"Content-Security-Policy".to_vec(), + b"Cross-Origin-Embedder-Policy".to_vec(), + b"Cross-Origin-Opener-Policy".to_vec(), + b"Cross-Origin-Resource-Policy".to_vec(), b"Refresh".to_vec(), b"Status".to_vec(), b"Timing-Allow-Origin".to_vec(), @@ -238,6 +241,9 @@ static ALL_KNOWN_HEADERS: &[&str] = &[ "x-frame-options", // common_non_standard_response "content-security-policy", + "cross-origin-embedder-policy", + "cross-origin-opener-policy", + "cross-origin-resource-policy", "refresh", "status", "timing-allow-origin", diff --git a/benches/src/header_name2.rs b/benches/src/header_name2.rs index 4562fd66..30bbd050 100644 --- a/benches/src/header_name2.rs +++ b/benches/src/header_name2.rs @@ -29,6 +29,7 @@ const STANDARD_HEADERS_BY_SIZE: &[&str] = &[ "content-security-policy", "sec-websocket-extensions", "strict-transport-security", + "cross-origin-opener-policy", "access-control-allow-origin", "access-control-allow-headers", "access-control-expose-headers",