Bug 429781: Update XMLHttpRequest blocked header list to latest spec. Patch by Adam Barth. r/sr=sicking a=damon

This commit is contained in:
jonas@sicking.cc 2008-05-02 17:00:18 -07:00
parent f881246ec5
commit 4b1402c163
2 changed files with 89 additions and 62 deletions

View File

@ -1998,7 +1998,7 @@ nsXMLHttpRequest::SetRequestHeader(const nsACString& header,
const char *kInvalidHeaders[] = {
"accept-charset", "accept-encoding", "connection", "content-length",
"content-transfer-encoding", "date", "expect", "host", "keep-alive",
"proxy-connection", "referer", "access-control-origin", "te", "trailer",
"referer", "access-control-origin", "te", "trailer",
"transfer-encoding", "upgrade", "via", "xmlhttprequest-security-check"
};
PRUint32 i;
@ -2008,6 +2008,13 @@ nsXMLHttpRequest::SetRequestHeader(const nsACString& header,
return NS_OK;
}
}
if (StringBeginsWith(header, NS_LITERAL_CSTRING("proxy-"),
nsCaseInsensitiveCStringComparator()) ||
StringBeginsWith(header, NS_LITERAL_CSTRING("sec-"),
nsCaseInsensitiveCStringComparator())) {
NS_WARNING("refusing to set request header");
return NS_OK;
}
}
// We need to set, not add to, the header.

View File

@ -20,7 +20,27 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=308484
/** Test for Bug 308484 **/
var headers = ["Host", "Content-Length", "Transfer-Encoding", "Via", "Upgrade"];
var headers = [
"aCCept-chaRset",
"acCePt-eNcoDing",
"coNnEctIon",
"coNtEnt-LEngth",
"cOntEnt-tRAnsFer-enCoDiNg",
"DATE",
"exPeCt",
"hOSt",
"keep-alive",
"reFERer",
"te",
"trAiLer",
"trANsfEr-eNcoDiNg",
"uPGraDe",
"viA",
"pRoxy-",
"sEc-",
"proxy-fOobar",
"sec-bAZbOx"
];
var i, request;
// Try setting headers in unprivileged context