[njs] Fetch: removed special treatment of forbidden headers.

[Dmitry Volyntsev]

details:   https://hg.nginx.org/njs/rev/4aed0532158c
branches:  
changeset: 2113:4aed0532158c
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Tue May 09 22:09:13 2023 -0700
description:
Fetch: removed special treatment of forbidden headers.

In c43261bad627 (0.7.10), a notion of forbidden headers was introduced
in accordance in Fetch API.  In the API the Forbidden headers are not
allowed to be changed from JavaScript code for security reasons.

The restriction is removed because there are use cases where Host (which
is considered forbidden) is different from the host address in
URL and JavaScript code is expected to be a trusted source (unlike a
browser context).

This closes #638 issue on Github.

diffstat:

 nginx/ngx_js_fetch.c |  65 ----------------------------------------------------
 1 files changed, 0 insertions(+), 65 deletions(-)

diffs (82 lines):

diff -r 70e7701a4588 -r 4aed0532158c nginx/ngx_js_fetch.c
--- a/nginx/ngx_js_fetch.c	Tue May 09 18:58:52 2023 -0700
+++ b/nginx/ngx_js_fetch.c	Tue May 09 22:09:13 2023 -0700
@@ -2184,43 +2184,6 @@ ngx_js_headers_append(njs_vm_t *vm, ngx_
     ngx_uint_t        i;
     ngx_js_tb_elt_t  *h, **ph;
     ngx_list_part_t  *part;
-    const njs_str_t  *f;
-
-    static const njs_str_t forbidded_request[] = {
-        njs_str("Accept-Charset"),
-        njs_str("Accept-Encoding"),
-        njs_str("Access-Control-Request-Headers"),
-        njs_str("Access-Control-Request-Method"),
-        njs_str("Connection"),
-        njs_str("Content-Length"),
-        njs_str("Cookie"),
-        njs_str("Date"),
-        njs_str("DNT"),
-        njs_str("Expect"),
-        njs_str("Host"),
-        njs_str("Keep-Alive"),
-        njs_str("Origin"),
-        njs_str("Referer"),
-        njs_str("Set-Cookie"),
-        njs_str("TE"),
-        njs_str("Trailer"),
-        njs_str("Transfer-Encoding"),
-        njs_str("Upgrade"),
-        njs_str("Via"),
-        njs_null_str,
-    };
-
-    static const njs_str_t forbidded_response[] = {
-        njs_str("Set-Cookie"),
-        njs_str("Set-Cookie2"),
-        njs_null_str,
-    };
-
-    static const njs_str_t forbidded_request_prefix[] = {
-        njs_str("proxy-"),
-        njs_str("sec-"),
-        njs_null_str,
-    };
 
     ngx_js_http_trim(&value, &vlen, 0);
 
@@ -2253,34 +2216,6 @@ ngx_js_headers_append(njs_vm_t *vm, ngx_
         return NJS_ERROR;
     }
 
-    if (headers->guard == GUARD_REQUEST) {
-        for (f = &forbidded_request[0]; f->length != 0; f++) {
-            if (len == f->length
-                && (njs_strncasecmp(name, f->start, len) == 0))
-            {
-                return NJS_OK;
-            }
-        }
-
-        for (f = &forbidded_request_prefix[0]; f->length != 0; f++) {
-            if (len >= f->length
-                && (njs_strncasecmp(name, f->start, f->length) == 0))
-            {
-                return NJS_OK;
-            }
-        }
-    }
-
-    if (headers->guard == GUARD_RESPONSE) {
-        for (f = &forbidded_response[0]; f->length != 0; f++) {
-            if (len == f->length
-                && (njs_strncasecmp(name, f->start, len) == 0))
-            {
-                return NJS_OK;
-            }
-        }
-    }
-
     ph = NULL;
     part = &headers->header_list.part;
     h = part->elts;