The XMLHttpRequest working draft gives a list of headers that should not be set by setRequestHeader() for security reasons. Currently some of them are missing. Mozilla checks for all of them except the ones starting with "Proxy-". Patch & testcase will follow.
Created attachment 17591 [details] patch & testcase Add all the headers specified by the draft (even "Proxy-" headers).
Looks great! Minor coding style issue: + static String proxyString; if (forbiddenHeaders.isEmpty()) { forbiddenHeaders.add("accept-charset"); forbiddenHeaders.add("accept-encoding"); + forbiddenHeaders.add("connection"); forbiddenHeaders.add("content-length"); - forbiddenHeaders.add("expect"); + forbiddenHeaders.add("content-transfer-encoding"); forbiddenHeaders.add("date"); + forbiddenHeaders.add("expect"); forbiddenHeaders.add("host"); forbiddenHeaders.add("keep-alive"); forbiddenHeaders.add("referer"); @@ -107,9 +110,11 @@ static bool canSetRequestHeader(const String& name) forbiddenHeaders.add("transfer-encoding"); forbiddenHeaders.add("upgrade"); forbiddenHeaders.add("via"); + + proxyString = String("proxy-"); You could just write static String proxyString("proxy-"), it will still be initialized only once. r- to consider style request, but I'll happily r+ with that revision.
Comment on attachment 17591 [details] patch & testcase As stated above, r- for style issue.
Created attachment 17609 [details] Patch updated with Maciej's comments > You could just write static String proxyString("proxy-"), it will still be > initialized only once. I did not know. Thanks for the info !
Landed in r28301.