diff options
Diffstat (limited to 'components/script/dom/xmlhttprequest.rs')
| -rw-r--r-- | components/script/dom/xmlhttprequest.rs | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/components/script/dom/xmlhttprequest.rs b/components/script/dom/xmlhttprequest.rs index df2cb8810d8..bfd2becd0d0 100644 --- a/components/script/dom/xmlhttprequest.rs +++ b/components/script/dom/xmlhttprequest.rs @@ -423,20 +423,26 @@ impl XMLHttpRequestMethods for XMLHttpRequest { let name_lower = name.to_lower(); let name_str = match name_lower.as_str() { Some(s) => { - match s { - // Step 5 - // Disallowed headers - "accept-charset" | "accept-encoding" | - "access-control-request-headers" | - "access-control-request-method" | - "connection" | "content-length" | - "cookie" | "cookie2" | "date" |"dnt" | - "expect" | "host" | "keep-alive" | "origin" | - "referer" | "te" | "trailer" | "transfer-encoding" | - "upgrade" | "user-agent" | "via" => { - return Ok(()); - }, - _ => s + // Step 5 + // Disallowed headers and header prefixes: + // https://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method + let disallowedHeaders = + ["accept-charset", "accept-encoding", + "access-control-request-headers", + "access-control-request-method", + "connection", "content-length", + "cookie", "cookie2", "date", "dnt", + "expect", "host", "keep-alive", "origin", + "referer", "te", "trailer", "transfer-encoding", + "upgrade", "user-agent", "via"]; + + let disallowedHeaderPrefixes = ["sec-", "proxy-"]; + + if disallowedHeaders.iter().any(|header| *header == s) || + disallowedHeaderPrefixes.iter().any(|prefix| s.starts_with(prefix)) { + return Ok(()) + } else { + s } }, None => unreachable!() |