From c375ad5e952dbb481286c17ee9158c8c4c77a38a Mon Sep 17 00:00:00 2001
From: Chandler Abraham <cabraham@twitter.com>
Date: Mon, 18 Jan 2016 18:04:21 -0800
Subject: [PATCH 1/3] disallow restricted XMLHttpRequest header prefixes

---
 components/script/dom/xmlhttprequest.rs       | 34 +++++++++++--------
 .../setrequestheader-header-forbidden.htm.ini |  5 ---
 .../metadata/websockets/security/002.html.ini |  5 ---
 3 files changed, 20 insertions(+), 24 deletions(-)
 delete mode 100644 tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini
 delete mode 100644 tests/wpt/metadata/websockets/security/002.html.ini

diff --git a/components/script/dom/xmlhttprequest.rs b/components/script/dom/xmlhttprequest.rs
index df2cb8810d8..bfd2becd0d0 100644
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@@ -423,20 +423,26 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
         let name_lower = name.to_lower();
         let name_str = match name_lower.as_str() {
             Some(s) => {
-                match s {
-                    // Step 5
-                    // Disallowed headers
-                    "accept-charset" | "accept-encoding" |
-                    "access-control-request-headers" |
-                    "access-control-request-method" |
-                    "connection" | "content-length" |
-                    "cookie" | "cookie2" | "date" |"dnt" |
-                    "expect" | "host" | "keep-alive" | "origin" |
-                    "referer" | "te" | "trailer" | "transfer-encoding" |
-                    "upgrade" | "user-agent" | "via" => {
-                        return Ok(());
-                    },
-                    _ => s
+                // Step 5
+                // Disallowed headers and header prefixes:
+                // https://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method
+                let disallowedHeaders =
+                    ["accept-charset", "accept-encoding",
+                    "access-control-request-headers",
+                    "access-control-request-method",
+                    "connection", "content-length",
+                    "cookie", "cookie2", "date", "dnt",
+                    "expect", "host", "keep-alive", "origin",
+                    "referer", "te", "trailer", "transfer-encoding",
+                    "upgrade", "user-agent", "via"];
+
+                let disallowedHeaderPrefixes = ["sec-", "proxy-"];
+
+                if disallowedHeaders.iter().any(|header| *header == s) ||
+                   disallowedHeaderPrefixes.iter().any(|prefix| s.starts_with(prefix)) {
+                    return Ok(())
+                } else {
+                    s
                 }
             },
             None => unreachable!()
diff --git a/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini b/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini
deleted file mode 100644
index e8a7062b952..00000000000
--- a/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[setrequestheader-header-forbidden.htm]
-  type: testharness
-  [XMLHttpRequest: setRequestHeader() - headers that are forbidden]
-    expected: FAIL
-
diff --git a/tests/wpt/metadata/websockets/security/002.html.ini b/tests/wpt/metadata/websockets/security/002.html.ini
deleted file mode 100644
index facc1e108b9..00000000000
--- a/tests/wpt/metadata/websockets/security/002.html.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[002.html]
-  type: testharness
-  [WebSockets: check Sec-WebSocket-Key]
-    expected: FAIL
-

From 7c3a8d3f5b228b8a99968d67a15698d50a8b9356 Mon Sep 17 00:00:00 2001
From: Chandler Abraham <cabraham@twitter.com>
Date: Tue, 19 Jan 2016 13:04:14 -0800
Subject: [PATCH 2/3] swap w3c spec link for whatwg, removed user-agent from
 disallowed headers

---
 components/script/dom/xmlhttprequest.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/components/script/dom/xmlhttprequest.rs b/components/script/dom/xmlhttprequest.rs
index bfd2becd0d0..255e4e0834d 100644
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@@ -425,7 +425,7 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
             Some(s) => {
                 // Step 5
                 // Disallowed headers and header prefixes:
-                // https://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method
+                // https://fetch.spec.whatwg.org/#forbidden-header-name
                 let disallowedHeaders =
                     ["accept-charset", "accept-encoding",
                     "access-control-request-headers",
@@ -434,7 +434,7 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
                     "cookie", "cookie2", "date", "dnt",
                     "expect", "host", "keep-alive", "origin",
                     "referer", "te", "trailer", "transfer-encoding",
-                    "upgrade", "user-agent", "via"];
+                    "upgrade", "via"];
 
                 let disallowedHeaderPrefixes = ["sec-", "proxy-"];
 

From 3a949b77b2a078a2bf6c257fcf1037946d50fe53 Mon Sep 17 00:00:00 2001
From: Chandler Abraham <cabraham@twitter.com>
Date: Thu, 21 Jan 2016 14:43:57 -0800
Subject: [PATCH 3/3] don't unconditionally override header

---
 components/net/http_loader.rs                         | 11 ++++++++++-
 .../preserve-ua-header-on-redirect.htm.ini            |  5 -----
 .../setrequestheader-header-allowed.htm.ini           |  5 -----
 3 files changed, 10 insertions(+), 11 deletions(-)
 delete mode 100644 tests/wpt/metadata/XMLHttpRequest/preserve-ua-header-on-redirect.htm.ini
 delete mode 100644 tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-allowed.htm.ini

diff --git a/components/net/http_loader.rs b/components/net/http_loader.rs
index d1e0bef1068..07e1153a4e1 100644
--- a/components/net/http_loader.rs
+++ b/components/net/http_loader.rs
@@ -523,7 +523,16 @@ pub fn modify_request_headers(headers: &mut Headers,
         port: doc_url.port_or_default()
     };
     headers.set(host);
-    headers.set(UserAgent(user_agent.to_owned()));
+
+    // If the user-agent has not already been set, then use the
+    // browser's default user-agent or the user-agent override
+    // from the command line. If the user-agent is set, don't
+    // modify it, as setting of the user-agent by the user is
+    // allowed.
+    // https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch step 8
+    if !headers.has::<UserAgent>() {
+        headers.set(UserAgent(user_agent.to_owned()));
+    }
 
     set_default_accept(headers);
     set_default_accept_encoding(headers);
diff --git a/tests/wpt/metadata/XMLHttpRequest/preserve-ua-header-on-redirect.htm.ini b/tests/wpt/metadata/XMLHttpRequest/preserve-ua-header-on-redirect.htm.ini
deleted file mode 100644
index 468b61c3512..00000000000
--- a/tests/wpt/metadata/XMLHttpRequest/preserve-ua-header-on-redirect.htm.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[preserve-ua-header-on-redirect.htm]
-  type: testharness
-  [XMLHttpRequest: User-Agent header is preserved on redirect 1]
-    expected: FAIL
-
diff --git a/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-allowed.htm.ini b/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-allowed.htm.ini
deleted file mode 100644
index 04d3654a455..00000000000
--- a/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-allowed.htm.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[setrequestheader-header-allowed.htm]
-  type: testharness
-  [XMLHttpRequest: setRequestHeader() - headers that are allowed (User-Agent)]
-    expected: FAIL
-