diff options
| author | bors-servo <lbergstrom+bors@mozilla.com> | 2016-02-27 22:09:46 +0530 |
|---|---|---|
| committer | bors-servo <lbergstrom+bors@mozilla.com> | 2016-02-27 22:09:46 +0530 |
| commit | 4a7d234510d5a5f6b2b960a84f70a7260e1fc0a9 (patch) | |
| tree | 79976f78baadbb6b6a389f1e4f6a8a0ac4ae3cb8 /components | |
| parent | 4e244b16dd3c050a8d6b24ee9209caf116462317 (diff) | |
| parent | 3a949b77b2a078a2bf6c257fcf1037946d50fe53 (diff) | |
| download | servo-4a7d234510d5a5f6b2b960a84f70a7260e1fc0a9.tar.gz servo-4a7d234510d5a5f6b2b960a84f70a7260e1fc0a9.zip | |
Auto merge of #9768 - jdm:add_disallowed_prefixes, r=jdm
disallow restricted XMLHttpRequest header prefixes
Rebased from #9376.
<!-- Reviewable:start -->
[<img src="https://reviewable.io/review_button.svg" height="40" alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/9768)
<!-- Reviewable:end -->
Diffstat (limited to 'components')
| -rw-r--r-- | components/net/http_loader.rs | 11 | ||||
| -rw-r--r-- | components/script/dom/xmlhttprequest.rs | 34 |
2 files changed, 30 insertions, 15 deletions
diff --git a/components/net/http_loader.rs b/components/net/http_loader.rs index d1e0bef1068..07e1153a4e1 100644 --- a/components/net/http_loader.rs +++ b/components/net/http_loader.rs @@ -523,7 +523,16 @@ pub fn modify_request_headers(headers: &mut Headers, port: doc_url.port_or_default() }; headers.set(host); - headers.set(UserAgent(user_agent.to_owned())); + + // If the user-agent has not already been set, then use the + // browser's default user-agent or the user-agent override + // from the command line. If the user-agent is set, don't + // modify it, as setting of the user-agent by the user is + // allowed. + // https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch step 8 + if !headers.has::<UserAgent>() { + headers.set(UserAgent(user_agent.to_owned())); + } set_default_accept(headers); set_default_accept_encoding(headers); diff --git a/components/script/dom/xmlhttprequest.rs b/components/script/dom/xmlhttprequest.rs index df2cb8810d8..255e4e0834d 100644 --- a/components/script/dom/xmlhttprequest.rs +++ b/components/script/dom/xmlhttprequest.rs @@ -423,20 +423,26 @@ impl XMLHttpRequestMethods for XMLHttpRequest { let name_lower = name.to_lower(); let name_str = match name_lower.as_str() { Some(s) => { - match s { - // Step 5 - // Disallowed headers - "accept-charset" | "accept-encoding" | - "access-control-request-headers" | - "access-control-request-method" | - "connection" | "content-length" | - "cookie" | "cookie2" | "date" |"dnt" | - "expect" | "host" | "keep-alive" | "origin" | - "referer" | "te" | "trailer" | "transfer-encoding" | - "upgrade" | "user-agent" | "via" => { - return Ok(()); - }, - _ => s + // Step 5 + // Disallowed headers and header prefixes: + // https://fetch.spec.whatwg.org/#forbidden-header-name + let disallowedHeaders = + ["accept-charset", "accept-encoding", + "access-control-request-headers", + "access-control-request-method", + "connection", "content-length", + "cookie", "cookie2", "date", "dnt", + "expect", "host", "keep-alive", "origin", + "referer", "te", "trailer", "transfer-encoding", + "upgrade", "via"]; + + let disallowedHeaderPrefixes = ["sec-", "proxy-"]; + + if disallowedHeaders.iter().any(|header| *header == s) || + disallowedHeaderPrefixes.iter().any(|prefix| s.starts_with(prefix)) { + return Ok(()) + } else { + s } }, None => unreachable!() |