From f07ee7d3564b8e0dd2134b9b1bb2f32da554e4c4 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Tue, 9 May 2023 22:09:13 -0700 Subject: [PATCH] Fetch: removed special treatment of forbidden headers. In c43261bad627 (0.7.10), a notion of forbidden headers was introduced in accordance in Fetch API. In the API the Forbidden headers are not allowed to be changed from JavaScript code for security reasons. The restriction is removed because there are use cases where Host (which is considered forbidden) is different from the host address in URL and JavaScript code is expected to be a trusted source (unlike a browser context). This closes #638 issue on Github. --- nginx/ngx_js_fetch.c | 65 -------------------------------------------- 1 file changed, 65 deletions(-) diff --git a/nginx/ngx_js_fetch.c b/nginx/ngx_js_fetch.c index 8d4dde4d..d74caa05 100644 --- a/nginx/ngx_js_fetch.c +++ b/nginx/ngx_js_fetch.c @@ -2184,43 +2184,6 @@ ngx_js_headers_append(njs_vm_t *vm, ngx_js_headers_t *headers, ngx_uint_t i; ngx_js_tb_elt_t *h, **ph; ngx_list_part_t *part; - const njs_str_t *f; - - static const njs_str_t forbidded_request[] = { - njs_str("Accept-Charset"), - njs_str("Accept-Encoding"), - njs_str("Access-Control-Request-Headers"), - njs_str("Access-Control-Request-Method"), - njs_str("Connection"), - njs_str("Content-Length"), - njs_str("Cookie"), - njs_str("Date"), - njs_str("DNT"), - njs_str("Expect"), - njs_str("Host"), - njs_str("Keep-Alive"), - njs_str("Origin"), - njs_str("Referer"), - njs_str("Set-Cookie"), - njs_str("TE"), - njs_str("Trailer"), - njs_str("Transfer-Encoding"), - njs_str("Upgrade"), - njs_str("Via"), - njs_null_str, - }; - - static const njs_str_t forbidded_response[] = { - njs_str("Set-Cookie"), - njs_str("Set-Cookie2"), - njs_null_str, - }; - - static const njs_str_t forbidded_request_prefix[] = { - njs_str("proxy-"), - njs_str("sec-"), - njs_null_str, - }; ngx_js_http_trim(&value, &vlen, 0); @@ -2253,34 +2216,6 @@ ngx_js_headers_append(njs_vm_t *vm, ngx_js_headers_t *headers, return NJS_ERROR; } - if (headers->guard == GUARD_REQUEST) { - for (f = &forbidded_request[0]; f->length != 0; f++) { - if (len == f->length - && (njs_strncasecmp(name, f->start, len) == 0)) - { - return NJS_OK; - } - } - - for (f = &forbidded_request_prefix[0]; f->length != 0; f++) { - if (len >= f->length - && (njs_strncasecmp(name, f->start, f->length) == 0)) - { - return NJS_OK; - } - } - } - - if (headers->guard == GUARD_RESPONSE) { - for (f = &forbidded_response[0]; f->length != 0; f++) { - if (len == f->length - && (njs_strncasecmp(name, f->start, len) == 0)) - { - return NJS_OK; - } - } - } - ph = NULL; part = &headers->header_list.part; h = part->elts; -- 2.47.3