lib/compat.js - Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th…

Keyboard Shortcuts

	File
u :	up to issue
m :	publish + mail comments
M :	edit review message
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line
<Enter> :	respond to / edit current comment
d :	mark current comment as done

	Issue
u :	up to list of issues
m :	publish + mail comments
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue
# :	close issue

	Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :	save comment
<Esc> :	cancel edit

Unified Diff: lib/compat.js

Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed) Base URL: https://hg.adblockplus.org/libadblockplus/

Patch Set: Forgot one more change from the review feedback. Created March 6, 2017, 5:56 p.m.

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: lib/compat.js

===================================================================

--- a/lib/compat.js

+++ b/lib/compat.js

@@ -292,16 +292,51 @@ XMLHttpRequest.prototype =

_loadHandlers: null,

_errorHandlers: null,

onload: null,

onerror: null,

status: 0,

readyState: 0,

responseText: null,

+ // list taken from https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

+ _forbiddenRequestHeaders: {

+ "accept-charset": true,

+ "accept-encoding": true,

+ "access-control-request-headers": true,

+ "access-control-request-method": true,

+ "connection": true,

+ "content-length": true,

+ "cookie": true,

+ "cookie2": true,

+ "date": true,

+ "dnt": true,

+ "expect": true,

+ "host": true,

+ "keep-alive": true,

+ "origin": true,

+ "referer": true,

+ "te": true,

+ "trailer": true,

+ "transfer-encoding": true,

+ "upgrade": true,

+ "via": true,

+ },

+ _forbiddenRequestHeadersRe: new RegExp("^(Proxy|Sec)-", "i"),

+ _isRequestHeaderAllowed: function(header)

+ {

+ if (this._forbiddenRequestHeaders.hasOwnProperty(header.toLowerCase()))

+ return false;

+ if (header.match(this._forbiddenRequestHeadersRe))

+ return false;

+ return true;

+ },

addEventListener: function(eventName, handler, capture)

{

var list;

if (eventName == "load")

list = this._loadHandlers;

else if (eventName == "error")

list = this._errorHandlers;

else

@@ -375,17 +410,20 @@ XMLHttpRequest.prototype =

{

setRequestHeader: function(name, value)

{

if (this.readyState > 1)

throw new Error("Cannot set request header after sending");

- this._requestHeaders[name] = value;

+ if (this._isRequestHeaderAllowed(name))

+ this._requestHeaders[name] = value;

+ else

+ console.warn("Attempt to set a forbidden header was denied: " + name);

getResponseHeader: function(name)

{

name = name.toLowerCase();

if (!this._responseHeaders || !this._responseHeaders.hasOwnProperty(name))

return null;

else

« no previous file with comments | « no previous file | test/WebRequest.cpp » ('j') | no next file with comments »