Index: lib/compat.js |
=================================================================== |
--- a/lib/compat.js |
+++ b/lib/compat.js |
@@ -292,16 +292,52 @@ XMLHttpRequest.prototype = |
_loadHandlers: null, |
_errorHandlers: null, |
onload: null, |
onerror: null, |
status: 0, |
readyState: 0, |
responseText: null, |
+ // list taken from https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name |
+ _forbiddenRequestHeaders: { |
+ "accept-charset": true, |
+ "accept-encoding": true, |
+ "access-control-request-headers": true, |
+ "access-control-request-method": true, |
+ "connection": true, |
+ "content-length": true, |
+ "cookie": true, |
+ "cookie2": true, |
+ "date": true, |
+ "dnt": true, |
+ "expect": true, |
+ "host": true, |
+ "keep-alive": true, |
+ "origin": true, |
+ "referer": true, |
+ "te": true, |
+ "trailer": true, |
+ "transfer-encoding": true, |
+ "upgrade": true, |
+ "via": true, |
+ }, |
+ _forbiddenRequestHeadersRe: new RegExp("^(Proxy|Sec)-", "i"), |
+ |
+ _isRequestHeaderAllowed: function(header) |
+ { |
+ if (this._forbiddenRequestHeaders[header.toLowerCase()] !== undefined) { |
sergei
2017/03/02 22:25:31
Actually it's not according to our coding style, s
hub
2017/03/02 23:30:12
Acknowledged.
|
+ return false; |
+ } |
+ if (header.match(this._forbiddenRequestHeadersRe)) { |
+ return false; |
+ } |
+ return true; |
+ }, |
+ |
addEventListener: function(eventName, handler, capture) |
{ |
var list; |
if (eventName == "load") |
list = this._loadHandlers; |
else if (eventName == "error") |
list = this._errorHandlers; |
else |
@@ -375,17 +411,21 @@ XMLHttpRequest.prototype = |
{ |
}, |
setRequestHeader: function(name, value) |
{ |
if (this.readyState > 1) |
throw new Error("Cannot set request header after sending"); |
- this._requestHeaders[name] = value; |
+ if (this._isRequestHeaderAllowed(name)) { |
+ this._requestHeaders[name] = value; |
+ } else { |
+ console.warning("Attempt to set a forbidden header was denied: " + name); |
sergei
2017/03/02 22:25:31
the name of the method should be "warn"
hub
2017/03/02 23:30:12
Looks like my testing has failed here. Will defini
|
+ } |
}, |
getResponseHeader: function(name) |
{ |
name = name.toLowerCase(); |
if (!this._responseHeaders || !this._responseHeaders.hasOwnProperty(name)) |
return null; |
else |