Auto merge of #9768 - jdm:add_disallowed_prefixes, r=jdm

disallow restricted XMLHttpRequest header prefixes

Rebased from #9376.

<!-- Reviewable:start -->
[<img src="https://reviewable.io/review_button.svg" height="40" alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/9768)
<!-- Reviewable:end -->
This commit is contained in:
bors-servo 2016-02-27 22:09:46 +05:30
commit 4a7d234510
6 changed files with 30 additions and 35 deletions

View file

@ -423,20 +423,26 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
let name_lower = name.to_lower();
let name_str = match name_lower.as_str() {
Some(s) => {
match s {
// Step 5
// Disallowed headers
"accept-charset" | "accept-encoding" |
"access-control-request-headers" |
"access-control-request-method" |
"connection" | "content-length" |
"cookie" | "cookie2" | "date" |"dnt" |
"expect" | "host" | "keep-alive" | "origin" |
"referer" | "te" | "trailer" | "transfer-encoding" |
"upgrade" | "user-agent" | "via" => {
return Ok(());
},
_ => s
// Step 5
// Disallowed headers and header prefixes:
// https://fetch.spec.whatwg.org/#forbidden-header-name
let disallowedHeaders =
["accept-charset", "accept-encoding",
"access-control-request-headers",
"access-control-request-method",
"connection", "content-length",
"cookie", "cookie2", "date", "dnt",
"expect", "host", "keep-alive", "origin",
"referer", "te", "trailer", "transfer-encoding",
"upgrade", "via"];
let disallowedHeaderPrefixes = ["sec-", "proxy-"];
if disallowedHeaders.iter().any(|header| *header == s) ||
disallowedHeaderPrefixes.iter().any(|prefix| s.starts_with(prefix)) {
return Ok(())
} else {
s
}
},
None => unreachable!()