aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--components/net/http_loader.rs11
-rw-r--r--components/script/dom/xmlhttprequest.rs34
-rw-r--r--tests/wpt/metadata/XMLHttpRequest/preserve-ua-header-on-redirect.htm.ini5
-rw-r--r--tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-allowed.htm.ini5
-rw-r--r--tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini5
-rw-r--r--tests/wpt/metadata/websockets/security/002.html.ini5
6 files changed, 30 insertions, 35 deletions
diff --git a/components/net/http_loader.rs b/components/net/http_loader.rs
index d1e0bef1068..07e1153a4e1 100644
--- a/components/net/http_loader.rs
+++ b/components/net/http_loader.rs
@@ -523,7 +523,16 @@ pub fn modify_request_headers(headers: &mut Headers,
port: doc_url.port_or_default()
};
headers.set(host);
- headers.set(UserAgent(user_agent.to_owned()));
+
+ // If the user-agent has not already been set, then use the
+ // browser's default user-agent or the user-agent override
+ // from the command line. If the user-agent is set, don't
+ // modify it, as setting of the user-agent by the user is
+ // allowed.
+ // https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch step 8
+ if !headers.has::<UserAgent>() {
+ headers.set(UserAgent(user_agent.to_owned()));
+ }
set_default_accept(headers);
set_default_accept_encoding(headers);
diff --git a/components/script/dom/xmlhttprequest.rs b/components/script/dom/xmlhttprequest.rs
index df2cb8810d8..255e4e0834d 100644
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@@ -423,20 +423,26 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
let name_lower = name.to_lower();
let name_str = match name_lower.as_str() {
Some(s) => {
- match s {
- // Step 5
- // Disallowed headers
- "accept-charset" | "accept-encoding" |
- "access-control-request-headers" |
- "access-control-request-method" |
- "connection" | "content-length" |
- "cookie" | "cookie2" | "date" |"dnt" |
- "expect" | "host" | "keep-alive" | "origin" |
- "referer" | "te" | "trailer" | "transfer-encoding" |
- "upgrade" | "user-agent" | "via" => {
- return Ok(());
- },
- _ => s
+ // Step 5
+ // Disallowed headers and header prefixes:
+ // https://fetch.spec.whatwg.org/#forbidden-header-name
+ let disallowedHeaders =
+ ["accept-charset", "accept-encoding",
+ "access-control-request-headers",
+ "access-control-request-method",
+ "connection", "content-length",
+ "cookie", "cookie2", "date", "dnt",
+ "expect", "host", "keep-alive", "origin",
+ "referer", "te", "trailer", "transfer-encoding",
+ "upgrade", "via"];
+
+ let disallowedHeaderPrefixes = ["sec-", "proxy-"];
+
+ if disallowedHeaders.iter().any(|header| *header == s) ||
+ disallowedHeaderPrefixes.iter().any(|prefix| s.starts_with(prefix)) {
+ return Ok(())
+ } else {
+ s
}
},
None => unreachable!()
diff --git a/tests/wpt/metadata/XMLHttpRequest/preserve-ua-header-on-redirect.htm.ini b/tests/wpt/metadata/XMLHttpRequest/preserve-ua-header-on-redirect.htm.ini
deleted file mode 100644
index 468b61c3512..00000000000
--- a/tests/wpt/metadata/XMLHttpRequest/preserve-ua-header-on-redirect.htm.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[preserve-ua-header-on-redirect.htm]
- type: testharness
- [XMLHttpRequest: User-Agent header is preserved on redirect 1]
- expected: FAIL
-
diff --git a/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-allowed.htm.ini b/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-allowed.htm.ini
deleted file mode 100644
index 04d3654a455..00000000000
--- a/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-allowed.htm.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[setrequestheader-header-allowed.htm]
- type: testharness
- [XMLHttpRequest: setRequestHeader() - headers that are allowed (User-Agent)]
- expected: FAIL
-
diff --git a/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini b/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini
deleted file mode 100644
index e8a7062b952..00000000000
--- a/tests/wpt/metadata/XMLHttpRequest/setrequestheader-header-forbidden.htm.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[setrequestheader-header-forbidden.htm]
- type: testharness
- [XMLHttpRequest: setRequestHeader() - headers that are forbidden]
- expected: FAIL
-
diff --git a/tests/wpt/metadata/websockets/security/002.html.ini b/tests/wpt/metadata/websockets/security/002.html.ini
deleted file mode 100644
index facc1e108b9..00000000000
--- a/tests/wpt/metadata/websockets/security/002.html.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[002.html]
- type: testharness
- [WebSockets: check Sec-WebSocket-Key]
- expected: FAIL
-
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-02 10:26:30 +0000