Side by Side Diff: lib/compat.js
Issue 29377825:
Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed)
Base URL: https://hg.adblockplus.org/libadblockplus/
Patch Set: Updated based on the feedback.
Created March 8, 2017, 4:15 a.m.
| Left: | ||
| Right: |
Use n/p to move between diff chunks;
N/P to move between comments.
« no previous file with comments
|
« no previous file
|
test/WebRequest.cpp » ('j')
|
test/WebRequest.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * This file is part of Adblock Plus <https://adblockplus.org/>, | 2 * This file is part of Adblock Plus <https://adblockplus.org/>, |
| 3 * Copyright (C) 2006-2016 Eyeo GmbH | 3 * Copyright (C) 2006-2016 Eyeo GmbH |
| 4 * | 4 * |
| 5 * Adblock Plus is free software: you can redistribute it and/or modify | 5 * Adblock Plus is free software: you can redistribute it and/or modify |
| 6 * it under the terms of the GNU General Public License version 3 as | 6 * it under the terms of the GNU General Public License version 3 as |
| 7 * published by the Free Software Foundation. | 7 * published by the Free Software Foundation. |
| 8 * | 8 * |
| 9 * Adblock Plus is distributed in the hope that it will be useful, | 9 * Adblock Plus is distributed in the hope that it will be useful, |
| 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of | 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| (...skipping 279 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 290 _requestHeaders: null, | 290 _requestHeaders: null, |
| 291 _responseHeaders: null, | 291 _responseHeaders: null, |
| 292 _loadHandlers: null, | 292 _loadHandlers: null, |
| 293 _errorHandlers: null, | 293 _errorHandlers: null, |
| 294 onload: null, | 294 onload: null, |
| 295 onerror: null, | 295 onerror: null, |
| 296 status: 0, | 296 status: 0, |
| 297 readyState: 0, | 297 readyState: 0, |
| 298 responseText: null, | 298 responseText: null, |
| 299 | 299 |
| 300 // list taken from https://developer.mozilla.org/en-US/docs/Glossary/Forbidden _header_name | |
| 301 _forbiddenRequestHeaders: { | |
| 302 "accept-charset": true, | |
| 303 "accept-encoding": true, | |
| 304 "access-control-request-headers": true, | |
| 305 "access-control-request-method": true, | |
| 306 "connection": true, | |
| 307 "content-length": true, | |
| 308 "cookie": true, | |
| 309 "cookie2": true, | |
| 310 "date": true, | |
| 311 "dnt": true, | |
| 312 "expect": true, | |
| 313 "host": true, | |
| 314 "keep-alive": true, | |
| 315 "origin": true, | |
| 316 "referer": true, | |
| 317 "te": true, | |
| 318 "trailer": true, | |
| 319 "transfer-encoding": true, | |
| 320 "upgrade": true, | |
| 321 "via": true, | |
| 322 }, | |
| 323 _forbiddenRequestHeadersRe: new RegExp("^(Proxy|Sec)-", "i"), | |
| 324 | |
| 325 _isRequestHeaderAllowed: function(header) | |
| 326 { | |
| 327 if (this._forbiddenRequestHeaders.hasOwnProperty(header.toLowerCase())) | |
| 328 return false; | |
| 329 if (header.match(this._forbiddenRequestHeadersRe)) | |
| 330 return false; | |
| 331 | |
| 332 return true; | |
| 333 }, | |
| 334 | |
| 300 addEventListener: function(eventName, handler, capture) | 335 addEventListener: function(eventName, handler, capture) |
| 301 { | 336 { |
| 302 var list; | 337 var list; |
| 303 if (eventName == "load") | 338 if (eventName == "load") |
| 304 list = this._loadHandlers; | 339 list = this._loadHandlers; |
| 305 else if (eventName == "error") | 340 else if (eventName == "error") |
| 306 list = this._errorHandlers; | 341 list = this._errorHandlers; |
| 307 else | 342 else |
| 308 throw new Error("Event type " + eventName + " not supported"); | 343 throw new Error("Event type " + eventName + " not supported"); |
| 309 | 344 |
| (...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 373 | 408 |
| 374 overrideMimeType: function(mime) | 409 overrideMimeType: function(mime) |
| 375 { | 410 { |
| 376 }, | 411 }, |
| 377 | 412 |
| 378 setRequestHeader: function(name, value) | 413 setRequestHeader: function(name, value) |
| 379 { | 414 { |
| 380 if (this.readyState > 1) | 415 if (this.readyState > 1) |
| 381 throw new Error("Cannot set request header after sending"); | 416 throw new Error("Cannot set request header after sending"); |
| 382 | 417 |
| 383 this._requestHeaders[name] = value; | 418 if (this._isRequestHeaderAllowed(name)) |
| 419 this._requestHeaders[name] = value; | |
| 420 else | |
| 421 console.warn("Attempt to set a forbidden header was denied: " + name); | |
| 384 }, | 422 }, |
| 385 | 423 |
| 386 getResponseHeader: function(name) | 424 getResponseHeader: function(name) |
| 387 { | 425 { |
| 388 name = name.toLowerCase(); | 426 name = name.toLowerCase(); |
| 389 if (!this._responseHeaders || !this._responseHeaders.hasOwnProperty(name)) | 427 if (!this._responseHeaders || !this._responseHeaders.hasOwnProperty(name)) |
| 390 return null; | 428 return null; |
| 391 else | 429 else |
| 392 return this._responseHeaders[name]; | 430 return this._responseHeaders[name]; |
| 393 }, | 431 }, |
| 394 | 432 |
| 395 channel: | 433 channel: |
| 396 { | 434 { |
| 397 status: -1, | 435 status: -1, |
| 398 notificationCallbacks: {}, | 436 notificationCallbacks: {}, |
| 399 loadFlags: 0, | 437 loadFlags: 0, |
| 400 INHIBIT_CACHING: 0, | 438 INHIBIT_CACHING: 0, |
| 401 VALIDATE_ALWAYS: 0, | 439 VALIDATE_ALWAYS: 0, |
| 402 QueryInterface: function() | 440 QueryInterface: function() |
| 403 { | 441 { |
| 404 return this; | 442 return this; |
| 405 } | 443 } |
| 406 } | 444 } |
| 407 }; | 445 }; |
| OLD | NEW |
« no previous file with comments
|
« no previous file
|
test/WebRequest.cpp » ('j')
|
test/WebRequest.cpp » ('J')
