disallow restricted XMLHttpRequest header prefixes

author: Chandler Abraham <cabraham@twitter.com> 2016-01-18 18:04:21 -0800
committer: Josh Matthews <josh@joshmatthews.net> 2016-02-26 11:04:33 -0500
commit: c375ad5e952dbb481286c17ee9158c8c4c77a38a (patch)
tree: e5603da652f905171f590926760e857acbaffd0e /components/script/dom/xmlhttprequest.rs
parent: aaad24c5312367921c0d2eab117c3fa587018114 (diff)
download: servo-c375ad5e952dbb481286c17ee9158c8c4c77a38a.tar.gz
servo-c375ad5e952dbb481286c17ee9158c8c4c77a38a.zip
1 files changed, 20 insertions, 14 deletions
diff --git a/components/script/dom/xmlhttprequest.rs b/components/script/dom/xmlhttprequest.rs
index df2cb8810d8..bfd2becd0d0 100644
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@@ -423,20 +423,26 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
         let name_lower = name.to_lower();
         let name_str = match name_lower.as_str() {
             Some(s) => {
-                match s {
-                    // Step 5
-                    // Disallowed headers
-                    "accept-charset" | "accept-encoding" |
-                    "access-control-request-headers" |
-                    "access-control-request-method" |
-                    "connection" | "content-length" |
-                    "cookie" | "cookie2" | "date" |"dnt" |
-                    "expect" | "host" | "keep-alive" | "origin" |
-                    "referer" | "te" | "trailer" | "transfer-encoding" |
-                    "upgrade" | "user-agent" | "via" => {
-                        return Ok(());
-                    },
-                    _ => s
+                // Step 5
+                // Disallowed headers and header prefixes:
+                // https://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method
+                let disallowedHeaders =
+                    ["accept-charset", "accept-encoding",
+                    "access-control-request-headers",
+                    "access-control-request-method",
+                    "connection", "content-length",
+                    "cookie", "cookie2", "date", "dnt",
+                    "expect", "host", "keep-alive", "origin",
+                    "referer", "te", "trailer", "transfer-encoding",
+                    "upgrade", "user-agent", "via"];
+
+                let disallowedHeaderPrefixes = ["sec-", "proxy-"];
+
+                if disallowedHeaders.iter().any(|header| *header == s) ||
+                   disallowedHeaderPrefixes.iter().any(|prefix| s.starts_with(prefix)) {
+                    return Ok(())
+                } else {
+                    s
                 }
             },
             None => unreachable!()
author	Chandler Abraham <cabraham@twitter.com>	2016-01-18 18:04:21 -0800
committer	Josh Matthews <josh@joshmatthews.net>	2016-02-26 11:04:33 -0500
commit	c375ad5e952dbb481286c17ee9158c8c4c77a38a (patch)
tree	e5603da652f905171f590926760e857acbaffd0e /components/script/dom/xmlhttprequest.rs
parent	aaad24c5312367921c0d2eab117c3fa587018114 (diff)
download	servo-c375ad5e952dbb481286c17ee9158c8c4c77a38a.tar.gz servo-c375ad5e952dbb481286c17ee9158c8c4c77a38a.zip