mirror of
https://github.com/servo/servo.git
synced 2025-08-05 13:40:08 +01:00
Auto merge of #9768 - jdm:add_disallowed_prefixes, r=jdm
disallow restricted XMLHttpRequest header prefixes Rebased from #9376. <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.svg" height="40" alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/9768) <!-- Reviewable:end -->
This commit is contained in:
commit
4a7d234510
6 changed files with 30 additions and 35 deletions
|
@ -423,20 +423,26 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
|
|||
let name_lower = name.to_lower();
|
||||
let name_str = match name_lower.as_str() {
|
||||
Some(s) => {
|
||||
match s {
|
||||
// Step 5
|
||||
// Disallowed headers
|
||||
"accept-charset" | "accept-encoding" |
|
||||
"access-control-request-headers" |
|
||||
"access-control-request-method" |
|
||||
"connection" | "content-length" |
|
||||
"cookie" | "cookie2" | "date" |"dnt" |
|
||||
"expect" | "host" | "keep-alive" | "origin" |
|
||||
"referer" | "te" | "trailer" | "transfer-encoding" |
|
||||
"upgrade" | "user-agent" | "via" => {
|
||||
return Ok(());
|
||||
},
|
||||
_ => s
|
||||
// Step 5
|
||||
// Disallowed headers and header prefixes:
|
||||
// https://fetch.spec.whatwg.org/#forbidden-header-name
|
||||
let disallowedHeaders =
|
||||
["accept-charset", "accept-encoding",
|
||||
"access-control-request-headers",
|
||||
"access-control-request-method",
|
||||
"connection", "content-length",
|
||||
"cookie", "cookie2", "date", "dnt",
|
||||
"expect", "host", "keep-alive", "origin",
|
||||
"referer", "te", "trailer", "transfer-encoding",
|
||||
"upgrade", "via"];
|
||||
|
||||
let disallowedHeaderPrefixes = ["sec-", "proxy-"];
|
||||
|
||||
if disallowedHeaders.iter().any(|header| *header == s) ||
|
||||
disallowedHeaderPrefixes.iter().any(|prefix| s.starts_with(prefix)) {
|
||||
return Ok(())
|
||||
} else {
|
||||
s
|
||||
}
|
||||
},
|
||||
None => unreachable!()
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue