Fetch: removed special treatment of forbidden headers.

In c43261bad627 (0.7.10), a notion of forbidden headers was introduced
in accordance in Fetch API.  In the API the Forbidden headers are not
allowed to be changed from JavaScript code for security reasons.

The restriction is removed because there are use cases where Host (which
is considered forbidden) is different from the host address in
URL and JavaScript code is expected to be a trusted source (unlike a
browser context).

This closes #638 issue on Github.

diff --git a/nginx/ngx_js_fetch.c b/nginx/ngx_js_fetch.c
index 8d4dde4d8bc950e7d1826e0fc85091240e47d5ed..d74caa05a5c48767a8ea15c24e5c6c8eaf1b8645 100644 (file)
--- a/nginx/ngx_js_fetch.c
+++ b/nginx/ngx_js_fetch.c
@@ -2184,43 +2184,6 @@ ngx_js_headers_append(njs_vm_t *vm, ngx_js_headers_t *headers,
     ngx_uint_t        i;
     ngx_js_tb_elt_t  *h, **ph;
     ngx_list_part_t  *part;
-    const njs_str_t  *f;
-
-    static const njs_str_t forbidded_request[] = {
-        njs_str("Accept-Charset"),
-        njs_str("Accept-Encoding"),
-        njs_str("Access-Control-Request-Headers"),
-        njs_str("Access-Control-Request-Method"),
-        njs_str("Connection"),
-        njs_str("Content-Length"),
-        njs_str("Cookie"),
-        njs_str("Date"),
-        njs_str("DNT"),
-        njs_str("Expect"),
-        njs_str("Host"),
-        njs_str("Keep-Alive"),
-        njs_str("Origin"),
-        njs_str("Referer"),
-        njs_str("Set-Cookie"),
-        njs_str("TE"),
-        njs_str("Trailer"),
-        njs_str("Transfer-Encoding"),
-        njs_str("Upgrade"),
-        njs_str("Via"),
-        njs_null_str,
-    };
-
-    static const njs_str_t forbidded_response[] = {
-        njs_str("Set-Cookie"),
-        njs_str("Set-Cookie2"),
-        njs_null_str,
-    };
-
-    static const njs_str_t forbidded_request_prefix[] = {
-        njs_str("proxy-"),
-        njs_str("sec-"),
-        njs_null_str,
-    };
 
     ngx_js_http_trim(&value, &vlen, 0);
 
@@ -2253,34 +2216,6 @@ ngx_js_headers_append(njs_vm_t *vm, ngx_js_headers_t *headers,
         return NJS_ERROR;
     }
 
-    if (headers->guard == GUARD_REQUEST) {
-        for (f = &forbidded_request[0]; f->length != 0; f++) {
-            if (len == f->length
-                && (njs_strncasecmp(name, f->start, len) == 0))
-            {
-                return NJS_OK;
-            }
-        }
-
-        for (f = &forbidded_request_prefix[0]; f->length != 0; f++) {
-            if (len >= f->length
-                && (njs_strncasecmp(name, f->start, f->length) == 0))
-            {
-                return NJS_OK;
-            }
-        }
-    }
-
-    if (headers->guard == GUARD_RESPONSE) {
-        for (f = &forbidded_response[0]; f->length != 0; f++) {
-            if (len == f->length
-                && (njs_strncasecmp(name, f->start, len) == 0))
-            {
-                return NJS_OK;
-            }
-        }
-    }
-
     ph = NULL;
     part = &headers->header_list.part;
     h = part->elts;