lib/compat.js - Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th…

Delta Between Two Patch Sets: lib/compat.js

Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed) Base URL: https://hg.adblockplus.org/libadblockplus/

Left Patch Set: Reworked the testing. Addressed review comments. Created March 3, 2017, 4:05 a.m.

Right Patch Set: Updated based on the feedback. Created March 8, 2017, 4:15 a.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 /*	1 /*

2 * This file is part of Adblock Plus <https://adblockplus.org/>,	2 * This file is part of Adblock Plus <https://adblockplus.org/>,

3 * Copyright (C) 2006-2016 Eyeo GmbH	3 * Copyright (C) 2006-2016 Eyeo GmbH

4 *	4 *

5 * Adblock Plus is free software: you can redistribute it and/or modify	5 * Adblock Plus is free software: you can redistribute it and/or modify

6 * it under the terms of the GNU General Public License version 3 as	6 * it under the terms of the GNU General Public License version 3 as

7 * published by the Free Software Foundation.	7 * published by the Free Software Foundation.

8 *	8 *

9 * Adblock Plus is distributed in the hope that it will be useful,	9 * Adblock Plus is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of	10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

(...skipping 281 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
292 _loadHandlers: null,	292 _loadHandlers: null,

293 _errorHandlers: null,	293 _errorHandlers: null,

294 onload: null,	294 onload: null,

295 onerror: null,	295 onerror: null,

296 status: 0,	296 status: 0,

297 readyState: 0,	297 readyState: 0,

298 responseText: null,	298 responseText: null,

299	299

300 // list taken from https://developer.mozilla.org/en-US/docs/Glossary/Forbidden _header_name	300 // list taken from https://developer.mozilla.org/en-US/docs/Glossary/Forbidden _header_name

301 _forbiddenRequestHeaders: {	301 _forbiddenRequestHeaders: {

302 "accept-charset": true,	302 "accept-charset": true,
Felix Dahlke 2017/03/03 08:33:05 The v8 version we use should support Set [1], it s The v8 version we use should support Set [1], it seems that'd be nicer to use here. But I don't feel strong about that. [1]: https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects... hub 2017/03/03 13:44:16 It seems not C++ exception with description "Refer Show quoted text On 2017/03/03 08:33:05, Felix Dahlke wrote: > The v8 version we use should support Set [1], it seems that'd be nicer to use > here. But I don't feel strong about that. > > [1]: > https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects... It seems not C++ exception with description "ReferenceError: Set is not defined at compat.js:301" thrown in SetUp(). :-(
303 "accept-encoding": true,	303 "accept-encoding": true,

304 "access-control-request-headers": true,	304 "access-control-request-headers": true,

305 "access-control-request-method": true,	305 "access-control-request-method": true,

306 "connection": true,	306 "connection": true,

307 "content-length": true,	307 "content-length": true,

308 "cookie": true,	308 "cookie": true,

309 "cookie2": true,	309 "cookie2": true,

310 "date": true,	310 "date": true,

311 "dnt": true,	311 "dnt": true,

312 "expect": true,	312 "expect": true,

313 "host": true,	313 "host": true,

314 "keep-alive": true,	314 "keep-alive": true,

315 "origin": true,	315 "origin": true,

316 "referer": true,	316 "referer": true,

317 "te": true,	317 "te": true,

318 "trailer": true,	318 "trailer": true,

319 "transfer-encoding": true,	319 "transfer-encoding": true,

320 "upgrade": true,	320 "upgrade": true,

321 "via": true,	321 "via": true,

322 },	322 },

323 _forbiddenRequestHeadersRe: new RegExp("^(Proxy\|Sec)-", "i"),	323 _forbiddenRequestHeadersRe: new RegExp("^(Proxy\|Sec)-", "i"),

324	324

325 _isRequestHeaderAllowed: function(header)	325 _isRequestHeaderAllowed: function(header)

326 {	326 {

327 if (this._forbiddenRequestHeaders.hasOwnProperty(header.toLowerCase())) {	327 if (this._forbiddenRequestHeaders.hasOwnProperty(header.toLowerCase()))
Felix Dahlke 2017/03/03 08:33:05 Nit: Opening braces go on their own line where pos Nit: Opening braces go on their own line where possible, see: https://adblockplus.org/coding-style (Omitting the braces for single line bodies is also fine.) hub 2017/03/03 13:44:16 Acknowledged. Show quoted text On 2017/03/03 08:33:05, Felix Dahlke wrote: > Nit: Opening braces go on their own line where possible, see: > https://adblockplus.org/coding-style > > (Omitting the braces for single line bodies is also fine.) Acknowledged.
328 return false;	328 return false;

329 }	329 if (header.match(this._forbiddenRequestHeadersRe))

330 if (header.match(this._forbiddenRequestHeadersRe)) {

331 return false;	330 return false;

332 }	331

333 return true;	332 return true;

334 },	333 },

335	334

336 addEventListener: function(eventName, handler, capture)	335 addEventListener: function(eventName, handler, capture)

337 {	336 {

338 var list;	337 var list;

339 if (eventName == "load")	338 if (eventName == "load")

340 list = this._loadHandlers;	339 list = this._loadHandlers;

341 else if (eventName == "error")	340 else if (eventName == "error")

342 list = this._errorHandlers;	341 list = this._errorHandlers;

(...skipping 66 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
409	408

410 overrideMimeType: function(mime)	409 overrideMimeType: function(mime)

411 {	410 {

412 },	411 },

413	412

414 setRequestHeader: function(name, value)	413 setRequestHeader: function(name, value)

415 {	414 {

416 if (this.readyState > 1)	415 if (this.readyState > 1)

417 throw new Error("Cannot set request header after sending");	416 throw new Error("Cannot set request header after sending");

418	417

419 if (this._isRequestHeaderAllowed(name)) {	418 if (this._isRequestHeaderAllowed(name))

420 this._requestHeaders[name] = value;	419 this._requestHeaders[name] = value;

421 } else {	420 else

422 console.warn("Attempt to set a forbidden header was denied: " + name);	421 console.warn("Attempt to set a forbidden header was denied: " + name);

423 }

424 },	422 },

425	423

426 getResponseHeader: function(name)	424 getResponseHeader: function(name)

427 {	425 {

428 name = name.toLowerCase();	426 name = name.toLowerCase();

429 if (!this._responseHeaders \|\| !this._responseHeaders.hasOwnProperty(name))	427 if (!this._responseHeaders \|\| !this._responseHeaders.hasOwnProperty(name))

430 return null;	428 return null;

431 else	429 else

432 return this._responseHeaders[name];	430 return this._responseHeaders[name];

433 },	431 },

434	432

435 channel:	433 channel:

436 {	434 {

437 status: -1,	435 status: -1,

438 notificationCallbacks: {},	436 notificationCallbacks: {},

439 loadFlags: 0,	437 loadFlags: 0,

440 INHIBIT_CACHING: 0,	438 INHIBIT_CACHING: 0,

441 VALIDATE_ALWAYS: 0,	439 VALIDATE_ALWAYS: 0,

442 QueryInterface: function()	440 QueryInterface: function()

443 {	441 {

444 return this;	442 return this;

445 }	443 }

446 }	444 }

447 };	445 };

LEFT	RIGHT