Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th…

lib/compat.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-2016 Eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ skipping 279 matching lines @@
   _requestHeaders: null,
   _responseHeaders: null,
   _loadHandlers: null,
   _errorHandlers: null,
   onload: null,
   onerror: null,
   status: 0,
   readyState: 0,
   responseText: null,
 
+  // list taken from https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
+  _forbiddenRequestHeaders: {
+    "accept-charset": true,

[Felix Dahlke, 2017/03/03 08:33:05]

The v8 version we use should support Set [1], it seems that'd be nicer to use
here. But I don't feel strong about that.

[1]:
https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects...

[hub, 2017/03/03 13:44:16]

It seems not
C++ exception with description "ReferenceError: Set is not defined at
compat.js:301" thrown in SetUp().

:-(

+    "accept-encoding": true,
+    "access-control-request-headers": true,
+    "access-control-request-method": true,
+    "connection": true,
+    "content-length": true,
+    "cookie": true,
+    "cookie2": true,
+    "date": true,
+    "dnt": true,
+    "expect": true,
+    "host": true,
+    "keep-alive": true,
+    "origin": true,
+    "referer": true,
+    "te": true,
+    "trailer": true,
+    "transfer-encoding": true,
+    "upgrade": true,
+    "via": true,
+  },
+  _forbiddenRequestHeadersRe: new RegExp("^(Proxy|Sec)-", "i"),
+
+  _isRequestHeaderAllowed: function(header)
+  {
+    if (this._forbiddenRequestHeaders.hasOwnProperty(header.toLowerCase())) {

[Felix Dahlke, 2017/03/03 08:33:05]

Nit: Opening braces go on their own line where possible, see:
https://adblockplus.org/coding-style

(Omitting the braces for single line bodies is also fine.)

[hub, 2017/03/03 13:44:16]

Acknowledged.

+      return false;
+    }
+    if (header.match(this._forbiddenRequestHeadersRe)) {
+      return false;
+    }
+    return true;
+  },
+
   addEventListener: function(eventName, handler, capture)
   {
     var list;
     if (eventName == "load")
       list = this._loadHandlers;
     else if (eventName == "error")
       list = this._errorHandlers;
     else
       throw new Error("Event type " + eventName + " not supported");
 
@@ skipping 63 matching lines @@
 
   overrideMimeType: function(mime)
   {
   },
 
   setRequestHeader: function(name, value)
   {
     if (this.readyState > 1)
       throw new Error("Cannot set request header after sending");
 
-    this._requestHeaders[name] = value;
+    if (this._isRequestHeaderAllowed(name)) {
+      this._requestHeaders[name] = value;
+    } else {
+      console.warn("Attempt to set a forbidden header was denied: " + name);
+    }
   },
 
   getResponseHeader: function(name)
   {
     name = name.toLowerCase();
     if (!this._responseHeaders || !this._responseHeaders.hasOwnProperty(name))
       return null;
     else
       return this._responseHeaders[name];
   },
 
   channel:
   {
     status: -1,
     notificationCallbacks: {},
     loadFlags: 0,
     INHIBIT_CACHING: 0,
     VALIDATE_ALWAYS: 0,
     QueryInterface: function()
     {
       return this;
     }
   }
 };