Skip to content

Commit b9a9290

Browse files
apapirovskijasnell
apapirovski
authored and
jasnell
committed
http2: expand list of known headers
Add access-control-*, dnt, forwarded, trailer, tk, upgrade-insecure-requests, warning, x-content-type-options and x-frame-options to known list of headers for HTTP2. Expand tests to account for these headers. Fixes: #15337 Refs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers Refs: https://www.w3.org/TR/cors/#syntax Refs: https://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dnt-header-field Refs: https://tools.ietf.org/html/rfc7239#section-4 Refs: https://tools.ietf.org/html/rfc7230#section-4.4 Refs: https://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#response-header-field Refs: https://www.w3.org/TR/upgrade-insecure-requests/#preference Refs: https://tools.ietf.org/html/rfc7234#section-5.5 Refs: https://fetch.spec.whatwg.org/#x-content-type-options-header Refs: https://tools.ietf.org/html/rfc7034 PR-URL: #15434 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
1 parent 771c2ac commit b9a9290

File tree

4 files changed

+79
-3
lines changed

4 files changed

+79
-3
lines changed

lib/internal/http2/util.js

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ const {
99
HTTP2_HEADER_AUTHORITY,
1010
HTTP2_HEADER_SCHEME,
1111
HTTP2_HEADER_PATH,
12+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
13+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE,
14+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD,
1215
HTTP2_HEADER_AGE,
1316
HTTP2_HEADER_AUTHORIZATION,
1417
HTTP2_HEADER_CONTENT_ENCODING,
@@ -20,6 +23,7 @@ const {
2023
HTTP2_HEADER_CONTENT_TYPE,
2124
HTTP2_HEADER_COOKIE,
2225
HTTP2_HEADER_DATE,
26+
HTTP2_HEADER_DNT,
2327
HTTP2_HEADER_ETAG,
2428
HTTP2_HEADER_EXPIRES,
2529
HTTP2_HEADER_FROM,
@@ -36,7 +40,10 @@ const {
3640
HTTP2_HEADER_REFERER,
3741
HTTP2_HEADER_RETRY_AFTER,
3842
HTTP2_HEADER_SET_COOKIE,
43+
HTTP2_HEADER_TK,
44+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS,
3945
HTTP2_HEADER_USER_AGENT,
46+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS,
4047

4148
HTTP2_HEADER_CONNECTION,
4249
HTTP2_HEADER_UPGRADE,
@@ -71,6 +78,9 @@ const kSingleValueHeaders = new Set([
7178
HTTP2_HEADER_AUTHORITY,
7279
HTTP2_HEADER_SCHEME,
7380
HTTP2_HEADER_PATH,
81+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
82+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE,
83+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD,
7484
HTTP2_HEADER_AGE,
7585
HTTP2_HEADER_AUTHORIZATION,
7686
HTTP2_HEADER_CONTENT_ENCODING,
@@ -81,6 +91,7 @@ const kSingleValueHeaders = new Set([
8191
HTTP2_HEADER_CONTENT_RANGE,
8292
HTTP2_HEADER_CONTENT_TYPE,
8393
HTTP2_HEADER_DATE,
94+
HTTP2_HEADER_DNT,
8495
HTTP2_HEADER_ETAG,
8596
HTTP2_HEADER_EXPIRES,
8697
HTTP2_HEADER_FROM,
@@ -96,7 +107,10 @@ const kSingleValueHeaders = new Set([
96107
HTTP2_HEADER_RANGE,
97108
HTTP2_HEADER_REFERER,
98109
HTTP2_HEADER_RETRY_AFTER,
99-
HTTP2_HEADER_USER_AGENT
110+
HTTP2_HEADER_TK,
111+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS,
112+
HTTP2_HEADER_USER_AGENT,
113+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS
100114
]);
101115

102116
// The HTTP methods in this set are specifically defined as assigning no

src/node_http2.h

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,14 @@ using v8::MaybeLocal;
6868
V(ACCEPT_LANGUAGE, "accept-language") \
6969
V(ACCEPT_RANGES, "accept-ranges") \
7070
V(ACCEPT, "accept") \
71+
V(ACCESS_CONTROL_ALLOW_CREDENTIALS, "access-control-allow-credentials") \
72+
V(ACCESS_CONTROL_ALLOW_HEADERS, "access-control-allow-headers") \
73+
V(ACCESS_CONTROL_ALLOW_METHODS, "access-control-allow-methods") \
7174
V(ACCESS_CONTROL_ALLOW_ORIGIN, "access-control-allow-origin") \
75+
V(ACCESS_CONTROL_EXPOSE_HEADERS, "access-control-expose-headers") \
76+
V(ACCESS_CONTROL_MAX_AGE, "access-control-max-age") \
77+
V(ACCESS_CONTROL_REQUEST_HEADERS, "access-control-request-headers") \
78+
V(ACCESS_CONTROL_REQUEST_METHOD, "access-control-request-method") \
7279
V(AGE, "age") \
7380
V(ALLOW, "allow") \
7481
V(AUTHORIZATION, "authorization") \
@@ -84,9 +91,11 @@ using v8::MaybeLocal;
8491
V(CONTENT_TYPE, "content-type") \
8592
V(COOKIE, "cookie") \
8693
V(DATE, "date") \
94+
V(DNT, "dnt") \
8795
V(ETAG, "etag") \
8896
V(EXPECT, "expect") \
8997
V(EXPIRES, "expires") \
98+
V(FORWARDED, "forwarded") \
9099
V(FROM, "from") \
91100
V(HOST, "host") \
92101
V(IF_MATCH, "if-match") \
@@ -108,13 +117,19 @@ using v8::MaybeLocal;
108117
V(SERVER, "server") \
109118
V(SET_COOKIE, "set-cookie") \
110119
V(STRICT_TRANSPORT_SECURITY, "strict-transport-security") \
120+
V(TRAILER, "trailer") \
111121
V(TRANSFER_ENCODING, "transfer-encoding") \
112122
V(TE, "te") \
123+
V(TK, "tk") \
124+
V(UPGRADE_INSECURE_REQUESTS, "upgrade-insecure-requests") \
113125
V(UPGRADE, "upgrade") \
114126
V(USER_AGENT, "user-agent") \
115127
V(VARY, "vary") \
116128
V(VIA, "via") \
129+
V(WARNING, "warning") \
117130
V(WWW_AUTHENTICATE, "www-authenticate") \
131+
V(X_CONTENT_TYPE_OPTIONS, "x-content-type-options") \
132+
V(X_FRAME_OPTIONS, "x-frame-options") \
118133
V(HTTP2_SETTINGS, "http2-settings") \
119134
V(KEEP_ALIVE, "keep-alive") \
120135
V(PROXY_CONNECTION, "proxy-connection")

test/parallel/test-http2-binding.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,14 @@ const expectedHeaderNames = {
105105
HTTP2_HEADER_ACCEPT_LANGUAGE: 'accept-language',
106106
HTTP2_HEADER_ACCEPT_RANGES: 'accept-ranges',
107107
HTTP2_HEADER_ACCEPT: 'accept',
108+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'access-control-allow-credentials', // eslint-disable-line max-len
109+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_HEADERS: 'access-control-allow-headers',
110+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_METHODS: 'access-control-allow-methods',
108111
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN: 'access-control-allow-origin',
112+
HTTP2_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS: 'access-control-expose-headers',
113+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE: 'access-control-max-age',
114+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_HEADERS: 'access-control-request-headers',
115+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD: 'access-control-request-method',
109116
HTTP2_HEADER_AGE: 'age',
110117
HTTP2_HEADER_ALLOW: 'allow',
111118
HTTP2_HEADER_AUTHORIZATION: 'authorization',
@@ -119,9 +126,11 @@ const expectedHeaderNames = {
119126
HTTP2_HEADER_CONTENT_TYPE: 'content-type',
120127
HTTP2_HEADER_COOKIE: 'cookie',
121128
HTTP2_HEADER_CONNECTION: 'connection',
129+
HTTP2_HEADER_DNT: 'dnt',
122130
HTTP2_HEADER_ETAG: 'etag',
123131
HTTP2_HEADER_EXPECT: 'expect',
124132
HTTP2_HEADER_EXPIRES: 'expires',
133+
HTTP2_HEADER_FORWARDED: 'forwarded',
125134
HTTP2_HEADER_FROM: 'from',
126135
HTTP2_HEADER_HOST: 'host',
127136
HTTP2_HEADER_IF_MATCH: 'if-match',
@@ -144,11 +153,17 @@ const expectedHeaderNames = {
144153
HTTP2_HEADER_SERVER: 'server',
145154
HTTP2_HEADER_SET_COOKIE: 'set-cookie',
146155
HTTP2_HEADER_STRICT_TRANSPORT_SECURITY: 'strict-transport-security',
156+
HTTP2_HEADER_TRAILER: 'trailer',
147157
HTTP2_HEADER_TRANSFER_ENCODING: 'transfer-encoding',
158+
HTTP2_HEADER_TK: 'tk',
159+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS: 'upgrade-insecure-requests',
148160
HTTP2_HEADER_USER_AGENT: 'user-agent',
149161
HTTP2_HEADER_VARY: 'vary',
150162
HTTP2_HEADER_VIA: 'via',
163+
HTTP2_HEADER_WARNING: 'warning',
151164
HTTP2_HEADER_WWW_AUTHENTICATE: 'www-authenticate',
165+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS: 'x-content-type-options',
166+
HTTP2_HEADER_X_FRAME_OPTIONS: 'x-frame-options',
152167
HTTP2_HEADER_KEEP_ALIVE: 'keep-alive',
153168
HTTP2_HEADER_CONTENT_MD5: 'content-md5',
154169
HTTP2_HEADER_TE: 'te',

test/parallel/test-http2-util-headers-list.js

Lines changed: 34 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,9 @@ const {
1414
HTTP2_HEADER_AUTHORITY,
1515
HTTP2_HEADER_SCHEME,
1616
HTTP2_HEADER_PATH,
17+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
18+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE,
19+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD,
1720
HTTP2_HEADER_AGE,
1821
HTTP2_HEADER_AUTHORIZATION,
1922
HTTP2_HEADER_CONTENT_ENCODING,
@@ -24,6 +27,7 @@ const {
2427
HTTP2_HEADER_CONTENT_RANGE,
2528
HTTP2_HEADER_CONTENT_TYPE,
2629
HTTP2_HEADER_DATE,
30+
HTTP2_HEADER_DNT,
2731
HTTP2_HEADER_ETAG,
2832
HTTP2_HEADER_EXPIRES,
2933
HTTP2_HEADER_FROM,
@@ -33,34 +37,46 @@ const {
3337
HTTP2_HEADER_IF_RANGE,
3438
HTTP2_HEADER_IF_UNMODIFIED_SINCE,
3539
HTTP2_HEADER_LAST_MODIFIED,
40+
HTTP2_HEADER_LOCATION,
3641
HTTP2_HEADER_MAX_FORWARDS,
3742
HTTP2_HEADER_PROXY_AUTHORIZATION,
3843
HTTP2_HEADER_RANGE,
3944
HTTP2_HEADER_REFERER,
4045
HTTP2_HEADER_RETRY_AFTER,
46+
HTTP2_HEADER_TK,
47+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS,
4148
HTTP2_HEADER_USER_AGENT,
49+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS,
4250

4351
HTTP2_HEADER_ACCEPT_CHARSET,
4452
HTTP2_HEADER_ACCEPT_ENCODING,
4553
HTTP2_HEADER_ACCEPT_LANGUAGE,
4654
HTTP2_HEADER_ACCEPT_RANGES,
4755
HTTP2_HEADER_ACCEPT,
56+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_HEADERS,
57+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_METHODS,
4858
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
59+
HTTP2_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS,
60+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_HEADERS,
4961
HTTP2_HEADER_ALLOW,
5062
HTTP2_HEADER_CACHE_CONTROL,
5163
HTTP2_HEADER_CONTENT_DISPOSITION,
5264
HTTP2_HEADER_COOKIE,
5365
HTTP2_HEADER_EXPECT,
66+
HTTP2_HEADER_FORWARDED,
5467
HTTP2_HEADER_LINK,
5568
HTTP2_HEADER_PREFER,
5669
HTTP2_HEADER_PROXY_AUTHENTICATE,
5770
HTTP2_HEADER_REFRESH,
5871
HTTP2_HEADER_SERVER,
5972
HTTP2_HEADER_SET_COOKIE,
6073
HTTP2_HEADER_STRICT_TRANSPORT_SECURITY,
74+
HTTP2_HEADER_TRAILER,
6175
HTTP2_HEADER_VARY,
6276
HTTP2_HEADER_VIA,
77+
HTTP2_HEADER_WARNING,
6378
HTTP2_HEADER_WWW_AUTHENTICATE,
79+
HTTP2_HEADER_X_FRAME_OPTIONS,
6480

6581
HTTP2_HEADER_CONNECTION,
6682
HTTP2_HEADER_UPGRADE,
@@ -145,6 +161,9 @@ const {
145161
HTTP2_HEADER_AUTHORITY,
146162
HTTP2_HEADER_SCHEME,
147163
HTTP2_HEADER_PATH,
164+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
165+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE,
166+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD,
148167
HTTP2_HEADER_AGE,
149168
HTTP2_HEADER_AUTHORIZATION,
150169
HTTP2_HEADER_CONTENT_ENCODING,
@@ -155,6 +174,7 @@ const {
155174
HTTP2_HEADER_CONTENT_RANGE,
156175
HTTP2_HEADER_CONTENT_TYPE,
157176
HTTP2_HEADER_DATE,
177+
HTTP2_HEADER_DNT,
158178
HTTP2_HEADER_ETAG,
159179
HTTP2_HEADER_EXPIRES,
160180
HTTP2_HEADER_FROM,
@@ -164,12 +184,16 @@ const {
164184
HTTP2_HEADER_IF_RANGE,
165185
HTTP2_HEADER_IF_UNMODIFIED_SINCE,
166186
HTTP2_HEADER_LAST_MODIFIED,
187+
HTTP2_HEADER_LOCATION,
167188
HTTP2_HEADER_MAX_FORWARDS,
168189
HTTP2_HEADER_PROXY_AUTHORIZATION,
169190
HTTP2_HEADER_RANGE,
170191
HTTP2_HEADER_REFERER,
171192
HTTP2_HEADER_RETRY_AFTER,
172-
HTTP2_HEADER_USER_AGENT
193+
HTTP2_HEADER_TK,
194+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS,
195+
HTTP2_HEADER_USER_AGENT,
196+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS
173197
].forEach((name) => {
174198
const msg = `Header field "${name}" must have only a single value`;
175199
common.expectsError({
@@ -184,22 +208,30 @@ const {
184208
HTTP2_HEADER_ACCEPT_LANGUAGE,
185209
HTTP2_HEADER_ACCEPT_RANGES,
186210
HTTP2_HEADER_ACCEPT,
211+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_HEADERS,
212+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_METHODS,
187213
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
214+
HTTP2_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS,
215+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_HEADERS,
188216
HTTP2_HEADER_ALLOW,
189217
HTTP2_HEADER_CACHE_CONTROL,
190218
HTTP2_HEADER_CONTENT_DISPOSITION,
191219
HTTP2_HEADER_COOKIE,
192220
HTTP2_HEADER_EXPECT,
221+
HTTP2_HEADER_FORWARDED,
193222
HTTP2_HEADER_LINK,
194223
HTTP2_HEADER_PREFER,
195224
HTTP2_HEADER_PROXY_AUTHENTICATE,
196225
HTTP2_HEADER_REFRESH,
197226
HTTP2_HEADER_SERVER,
198227
HTTP2_HEADER_SET_COOKIE,
199228
HTTP2_HEADER_STRICT_TRANSPORT_SECURITY,
229+
HTTP2_HEADER_TRAILER,
200230
HTTP2_HEADER_VARY,
201231
HTTP2_HEADER_VIA,
202-
HTTP2_HEADER_WWW_AUTHENTICATE
232+
HTTP2_HEADER_WARNING,
233+
HTTP2_HEADER_WWW_AUTHENTICATE,
234+
HTTP2_HEADER_X_FRAME_OPTIONS
203235
].forEach((name) => {
204236
assert(!(mapToHeaders({ [name]: [1, 2, 3] }) instanceof Error), name);
205237
});

0 commit comments

Comments
 (0)