Welcome! Log In Create A New Profile

[njs] Fetch: removed special treatment of forbidden headers.

Forum List Message List New Topic Print View

Dmitry Volyntsev

May 11, 2023 12:28AM

details: https://hg.nginx.org/njs/rev/4aed0532158c
branches:
changeset: 2113:4aed0532158c
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Tue May 09 22:09:13 2023 -0700
description:
Fetch: removed special treatment of forbidden headers.

In c43261bad627 (0.7.10), a notion of forbidden headers was introduced
in accordance in Fetch API. In the API the Forbidden headers are not
allowed to be changed from JavaScript code for security reasons.

The restriction is removed because there are use cases where Host (which
is considered forbidden) is different from the host address in
URL and JavaScript code is expected to be a trusted source (unlike a
browser context).

This closes #638 issue on Github.

diffstat:

nginx/ngx_js_fetch.c | 65 ----------------------------------------------------
1 files changed, 0 insertions(+), 65 deletions(-)

diffs (82 lines):

diff -r 70e7701a4588 -r 4aed0532158c nginx/ngx_js_fetch.c
--- a/nginx/ngx_js_fetch.c Tue May 09 18:58:52 2023 -0700
+++ b/nginx/ngx_js_fetch.c Tue May 09 22:09:13 2023 -0700
@@ -2184,43 +2184,6 @@ ngx_js_headers_append(njs_vm_t *vm, ngx_
ngx_uint_t i;
ngx_js_tb_elt_t *h, **ph;
ngx_list_part_t *part;
- const njs_str_t *f;
-
- static const njs_str_t forbidded_request[] = {
- njs_str("Accept-Charset"),
- njs_str("Accept-Encoding"),
- njs_str("Access-Control-Request-Headers"),
- njs_str("Access-Control-Request-Method"),
- njs_str("Connection"),
- njs_str("Content-Length"),
- njs_str("Cookie"),
- njs_str("Date"),
- njs_str("DNT"),
- njs_str("Expect"),
- njs_str("Host"),
- njs_str("Keep-Alive"),
- njs_str("Origin"),
- njs_str("Referer"),
- njs_str("Set-Cookie"),
- njs_str("TE"),
- njs_str("Trailer"),
- njs_str("Transfer-Encoding"),
- njs_str("Upgrade"),
- njs_str("Via"),
- njs_null_str,
- };
-
- static const njs_str_t forbidded_response[] = {
- njs_str("Set-Cookie"),
- njs_str("Set-Cookie2"),
- njs_null_str,
- };
-
- static const njs_str_t forbidded_request_prefix[] = {
- njs_str("proxy-"),
- njs_str("sec-"),
- njs_null_str,
- };

ngx_js_http_trim(&value, &vlen, 0);

@@ -2253,34 +2216,6 @@ ngx_js_headers_append(njs_vm_t *vm, ngx_
return NJS_ERROR;
}

- if (headers->guard == GUARD_REQUEST) {
- for (f = &forbidded_request[0]; f->length != 0; f++) {
- if (len == f->length
- && (njs_strncasecmp(name, f->start, len) == 0))
- {
- return NJS_OK;
- }
- }
-
- for (f = &forbidded_request_prefix[0]; f->length != 0; f++) {
- if (len >= f->length
- && (njs_strncasecmp(name, f->start, f->length) == 0))
- {
- return NJS_OK;
- }
- }
- }
-
- if (headers->guard == GUARD_RESPONSE) {
- for (f = &forbidded_response[0]; f->length != 0; f++) {
- if (len == f->length
- && (njs_strncasecmp(name, f->start, len) == 0))
- {
- return NJS_OK;
- }
- }
- }
-
ph = NULL;
part = &headers->header_list.part;
h = part->elts;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[njs] Fetch: removed special treatment of forbidden headers.	Dmitry Volyntsev	232	May 11, 2023 12:28AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 285

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018