Permalink
Browse files

check for unsafe headers before setting header

  • Loading branch information...
Nicolas LaCasse
Nicolas LaCasse committed Feb 1, 2012
1 parent c2a2339 commit 97cb483abb50049a1da73489e66f561aa9bb283c
Showing with 33 additions and 0 deletions.
  1. +33 −0 lib/request.js
View
@@ -16,6 +16,7 @@ var Request = module.exports = function (xhr, params) {
if (params.headers) {
Object.keys(params.headers).forEach(function (key) {
+ if (!self.isSafeRequestHeader(key)) return;
var value = params.headers[key];
if (Array.isArray(value)) {
value.forEach(function (v) {
@@ -58,3 +59,35 @@ Request.prototype.end = function (s) {
if (s !== undefined) this.write(s);
this.xhr.send(this.body);
};
+
+Request.prototype.isSafeRequestHeader = function (headerName) {
+ if (!headerName) return false;
+ headerName = headerName.toLowerCase();
+
+ // Taken from http://dxr.mozilla.org/mozilla/mozilla-central/content/base/src/nsXMLHttpRequest.cpp.html
+ var unsafeHeaders = [
+ "accept-charset",
+ "accept-encoding",
+ "access-control-request-headers",
+ "access-control-request-method",
+ "connection",
+ "content-length",
+ "cookie",
+ "cookie2",
+ "content-transfer-encoding",
+ "date",
+ "expect",
+ "host",
+ "keep-alive",
+ "origin",
+ "referer",
+ "te",
+ "trailer",
+ "transfer-encoding",
+ "upgrade",
+ "user-agent",
+ "via"
+ ];
+
+ return (unsafeHeaders.indexOf(headerName) === -1)
+};

0 comments on commit 97cb483

Please sign in to comment.