Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th…

lib/compat.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-2016 Eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ skipping 279 matching lines @@
   _requestHeaders: null,
   _responseHeaders: null,
   _loadHandlers: null,
   _errorHandlers: null,
   onload: null,
   onerror: null,
   status: 0,
   readyState: 0,
   responseText: null,
 
+  // list taken from https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
+  _forbiddenRequestHeaders: {
+    "accept-charset": true,
+    "accept-encoding": true,
+    "access-control-request-headers": true,
+    "access-control-request-method": true,
+    "connection": true,
+    "content-length": true,
+    "cookie": true,
+    "cookie2": true,
+    "date": true,
+    "dnt": true,
+    "expect": true,
+    "host": true,
+    "keep-alive": true,
+    "origin": true,
+    "referer": true,
+    "te": true,
+    "trailer": true,
+    "transfer-encoding": true,
+    "upgrade": true,
+    "via": true,
+  },
+  _forbiddenRequestHeadersRe: new RegExp("^(Proxy|Sec)-", "i"),
+
+  _isRequestHeaderAllowed: function(header)
+  {
+    if (this._forbiddenRequestHeaders[header.toLowerCase()] !== undefined) {

[sergei, 2017/03/02 22:25:31]

Actually it's not according to our coding style, so I would recommend to use
hasOwnProperty.

[hub, 2017/03/02 23:30:12]

Acknowledged.

+      return false;
+    }
+    if (header.match(this._forbiddenRequestHeadersRe)) {
+      return false;
+    }
+    return true;
+  },
+
   addEventListener: function(eventName, handler, capture)
   {
     var list;
     if (eventName == "load")
       list = this._loadHandlers;
     else if (eventName == "error")
       list = this._errorHandlers;
     else
       throw new Error("Event type " + eventName + " not supported");
 
@@ skipping 63 matching lines @@
 
   overrideMimeType: function(mime)
   {
   },
 
   setRequestHeader: function(name, value)
   {
     if (this.readyState > 1)
       throw new Error("Cannot set request header after sending");
 
-    this._requestHeaders[name] = value;
+    if (this._isRequestHeaderAllowed(name)) {
+      this._requestHeaders[name] = value;
+    } else {
+      console.warning("Attempt to set a forbidden header was denied: " + name);

[sergei, 2017/03/02 22:25:31]

the name of the method should be "warn"

[hub, 2017/03/02 23:30:12]

Looks like my testing has failed here. Will definitely fix that.

+    }
   },
 
   getResponseHeader: function(name)
   {
     name = name.toLowerCase();
     if (!this._responseHeaders || !this._responseHeaders.hasOwnProperty(name))
       return null;
     else
       return this._responseHeaders[name];
   },
 
   channel:
   {
     status: -1,
     notificationCallbacks: {},
     loadFlags: 0,
     INHIBIT_CACHING: 0,
     VALIDATE_ALWAYS: 0,
     QueryInterface: function()
     {
       return this;
     }
   }
 };