Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code

Unified Diff: lib/compat.js

Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed) Base URL: https://hg.adblockplus.org/libadblockplus/
Patch Set: Reworked the testing. Addressed review comments. Created March 3, 2017, 4:05 a.m.
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | test/WebRequest.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: lib/compat.js
===================================================================
--- a/lib/compat.js
+++ b/lib/compat.js
@@ -292,16 +292,52 @@ XMLHttpRequest.prototype =
_loadHandlers: null,
_errorHandlers: null,
onload: null,
onerror: null,
status: 0,
readyState: 0,
responseText: null,
+ // list taken from https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
+ _forbiddenRequestHeaders: {
+ "accept-charset": true,
Felix Dahlke 2017/03/03 08:33:05 The v8 version we use should support Set [1], it s
hub 2017/03/03 13:44:16 It seems not C++ exception with description "Refer
+ "accept-encoding": true,
+ "access-control-request-headers": true,
+ "access-control-request-method": true,
+ "connection": true,
+ "content-length": true,
+ "cookie": true,
+ "cookie2": true,
+ "date": true,
+ "dnt": true,
+ "expect": true,
+ "host": true,
+ "keep-alive": true,
+ "origin": true,
+ "referer": true,
+ "te": true,
+ "trailer": true,
+ "transfer-encoding": true,
+ "upgrade": true,
+ "via": true,
+ },
+ _forbiddenRequestHeadersRe: new RegExp("^(Proxy|Sec)-", "i"),
+
+ _isRequestHeaderAllowed: function(header)
+ {
+ if (this._forbiddenRequestHeaders.hasOwnProperty(header.toLowerCase())) {
Felix Dahlke 2017/03/03 08:33:05 Nit: Opening braces go on their own line where pos
hub 2017/03/03 13:44:16 Acknowledged.
+ return false;
+ }
+ if (header.match(this._forbiddenRequestHeadersRe)) {
+ return false;
+ }
+ return true;
+ },
+
addEventListener: function(eventName, handler, capture)
{
var list;
if (eventName == "load")
list = this._loadHandlers;
else if (eventName == "error")
list = this._errorHandlers;
else
@@ -375,17 +411,21 @@ XMLHttpRequest.prototype =
{
},
setRequestHeader: function(name, value)
{
if (this.readyState > 1)
throw new Error("Cannot set request header after sending");
- this._requestHeaders[name] = value;
+ if (this._isRequestHeaderAllowed(name)) {
+ this._requestHeaders[name] = value;
+ } else {
+ console.warn("Attempt to set a forbidden header was denied: " + name);
+ }
},
getResponseHeader: function(name)
{
name = name.toLowerCase();
if (!this._responseHeaders || !this._responseHeaders.hasOwnProperty(name))
return null;
else
« no previous file with comments | « no previous file | test/WebRequest.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld