disallow restricted XMLHttpRequest header prefixes

2025-07-23 15:23:42 +01:00 · 2016-01-18 18:04:21 -08:00 · 2016-01-18 18:04:21 -08:00 · c375ad5e95
commit c375ad5e95
parent aaad24c531
3 changed files with 20 additions and 24 deletions
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@ -423,20 +423,26 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
        let name_lower = name.to_lower();
        let name_str = match name_lower.as_str() {
            Some(s) => {
-                match s {
+                // Step 5
-                    // Step 5
+                // Disallowed headers and header prefixes:
-                    // Disallowed headers
+                // https://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method
-                    "accept-charset" | "accept-encoding" |
+                let disallowedHeaders =
-                    "access-control-request-headers" |
+                    ["accept-charset", "accept-encoding",
-                    "access-control-request-method" |
+                    "access-control-request-headers",
-                    "connection" | "content-length" |
+                    "access-control-request-method",
-                    "cookie" | "cookie2" | "date" |"dnt" |
+                    "connection", "content-length",
-                    "expect" | "host" | "keep-alive" | "origin" |
+                    "cookie", "cookie2", "date", "dnt",
-                    "referer" | "te" | "trailer" | "transfer-encoding" |
+                    "expect", "host", "keep-alive", "origin",
-                    "upgrade" | "user-agent" | "via" => {
+                    "referer", "te", "trailer", "transfer-encoding",
-                        return Ok(());
+                    "upgrade", "user-agent", "via"];
-                    },
+
-                    _ => s
+                let disallowedHeaderPrefixes = ["sec-", "proxy-"];
                if disallowedHeaders.iter().any(|header| *header == s) ||
                   disallowedHeaderPrefixes.iter().any(|prefix| s.starts_with(prefix)) {
                    return Ok(())
                } else {
                    s
                }
            },
            None => unreachable!()
--- a/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini
+++ b/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini
@ -1,5 +0,0 @@
 [setrequestheader-header-forbidden.htm]
  type: testharness
  [XMLHttpRequest: setRequestHeader() - headers that are forbidden]
    expected: FAIL
--- a/tests/wpt/metadata/websockets/security/002.html.ini
+++ b/tests/wpt/metadata/websockets/security/002.html.ini
@ -1,5 +0,0 @@
 [002.html]
  type: testharness
  [WebSockets: check Sec-WebSocket-Key]
    expected: FAIL