Skip to content

Commit 2f5bef4

Browse files
apapirovskijasnell
apapirovski
authored and
jasnell
committed
http2: expand list of known headers
Add access-control-*, dnt, forwarded, trailer, tk, upgrade-insecure-requests, warning, x-content-type-options and x-frame-options to known list of headers for HTTP2. Expand tests to account for these headers. Fixes: nodejs#15337 Refs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers Refs: https://www.w3.org/TR/cors/#syntax Refs: https://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dnt-header-field Refs: https://tools.ietf.org/html/rfc7239#section-4 Refs: https://tools.ietf.org/html/rfc7230#section-4.4 Refs: https://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#response-header-field Refs: https://www.w3.org/TR/upgrade-insecure-requests/#preference Refs: https://tools.ietf.org/html/rfc7234#section-5.5 Refs: https://fetch.spec.whatwg.org/#x-content-type-options-header Refs: https://tools.ietf.org/html/rfc7034 PR-URL: nodejs#15434 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
1 parent 873e5bd commit 2f5bef4

4 files changed

Lines changed: 79 additions & 3 deletions

File tree

lib/internal/http2/util.js

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ const {
1212
HTTP2_HEADER_AUTHORITY,
1313
HTTP2_HEADER_SCHEME,
1414
HTTP2_HEADER_PATH,
15+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
16+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE,
17+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD,
1518
HTTP2_HEADER_AGE,
1619
HTTP2_HEADER_AUTHORIZATION,
1720
HTTP2_HEADER_CONTENT_ENCODING,
@@ -23,6 +26,7 @@ const {
2326
HTTP2_HEADER_CONTENT_TYPE,
2427
HTTP2_HEADER_COOKIE,
2528
HTTP2_HEADER_DATE,
29+
HTTP2_HEADER_DNT,
2630
HTTP2_HEADER_ETAG,
2731
HTTP2_HEADER_EXPIRES,
2832
HTTP2_HEADER_FROM,
@@ -39,7 +43,10 @@ const {
3943
HTTP2_HEADER_REFERER,
4044
HTTP2_HEADER_RETRY_AFTER,
4145
HTTP2_HEADER_SET_COOKIE,
46+
HTTP2_HEADER_TK,
47+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS,
4248
HTTP2_HEADER_USER_AGENT,
49+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS,
4350

4451
HTTP2_HEADER_CONNECTION,
4552
HTTP2_HEADER_UPGRADE,
@@ -74,6 +81,9 @@ const kSingleValueHeaders = new Set([
7481
HTTP2_HEADER_AUTHORITY,
7582
HTTP2_HEADER_SCHEME,
7683
HTTP2_HEADER_PATH,
84+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
85+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE,
86+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD,
7787
HTTP2_HEADER_AGE,
7888
HTTP2_HEADER_AUTHORIZATION,
7989
HTTP2_HEADER_CONTENT_ENCODING,
@@ -84,6 +94,7 @@ const kSingleValueHeaders = new Set([
8494
HTTP2_HEADER_CONTENT_RANGE,
8595
HTTP2_HEADER_CONTENT_TYPE,
8696
HTTP2_HEADER_DATE,
97+
HTTP2_HEADER_DNT,
8798
HTTP2_HEADER_ETAG,
8899
HTTP2_HEADER_EXPIRES,
89100
HTTP2_HEADER_FROM,
@@ -99,7 +110,10 @@ const kSingleValueHeaders = new Set([
99110
HTTP2_HEADER_RANGE,
100111
HTTP2_HEADER_REFERER,
101112
HTTP2_HEADER_RETRY_AFTER,
102-
HTTP2_HEADER_USER_AGENT
113+
HTTP2_HEADER_TK,
114+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS,
115+
HTTP2_HEADER_USER_AGENT,
116+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS
103117
]);
104118

105119
// The HTTP methods in this set are specifically defined as assigning no

src/node_http2.h

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,14 @@ using v8::MaybeLocal;
6969
V(ACCEPT_LANGUAGE, "accept-language") \
7070
V(ACCEPT_RANGES, "accept-ranges") \
7171
V(ACCEPT, "accept") \
72+
V(ACCESS_CONTROL_ALLOW_CREDENTIALS, "access-control-allow-credentials") \
73+
V(ACCESS_CONTROL_ALLOW_HEADERS, "access-control-allow-headers") \
74+
V(ACCESS_CONTROL_ALLOW_METHODS, "access-control-allow-methods") \
7275
V(ACCESS_CONTROL_ALLOW_ORIGIN, "access-control-allow-origin") \
76+
V(ACCESS_CONTROL_EXPOSE_HEADERS, "access-control-expose-headers") \
77+
V(ACCESS_CONTROL_MAX_AGE, "access-control-max-age") \
78+
V(ACCESS_CONTROL_REQUEST_HEADERS, "access-control-request-headers") \
79+
V(ACCESS_CONTROL_REQUEST_METHOD, "access-control-request-method") \
7380
V(AGE, "age") \
7481
V(ALLOW, "allow") \
7582
V(AUTHORIZATION, "authorization") \
@@ -85,9 +92,11 @@ using v8::MaybeLocal;
8592
V(CONTENT_TYPE, "content-type") \
8693
V(COOKIE, "cookie") \
8794
V(DATE, "date") \
95+
V(DNT, "dnt") \
8896
V(ETAG, "etag") \
8997
V(EXPECT, "expect") \
9098
V(EXPIRES, "expires") \
99+
V(FORWARDED, "forwarded") \
91100
V(FROM, "from") \
92101
V(HOST, "host") \
93102
V(IF_MATCH, "if-match") \
@@ -109,13 +118,19 @@ using v8::MaybeLocal;
109118
V(SERVER, "server") \
110119
V(SET_COOKIE, "set-cookie") \
111120
V(STRICT_TRANSPORT_SECURITY, "strict-transport-security") \
121+
V(TRAILER, "trailer") \
112122
V(TRANSFER_ENCODING, "transfer-encoding") \
113123
V(TE, "te") \
124+
V(TK, "tk") \
125+
V(UPGRADE_INSECURE_REQUESTS, "upgrade-insecure-requests") \
114126
V(UPGRADE, "upgrade") \
115127
V(USER_AGENT, "user-agent") \
116128
V(VARY, "vary") \
117129
V(VIA, "via") \
130+
V(WARNING, "warning") \
118131
V(WWW_AUTHENTICATE, "www-authenticate") \
132+
V(X_CONTENT_TYPE_OPTIONS, "x-content-type-options") \
133+
V(X_FRAME_OPTIONS, "x-frame-options") \
119134
V(HTTP2_SETTINGS, "http2-settings") \
120135
V(KEEP_ALIVE, "keep-alive") \
121136
V(PROXY_CONNECTION, "proxy-connection")

test/parallel/test-http2-binding.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,14 @@ const expectedHeaderNames = {
105105
HTTP2_HEADER_ACCEPT_LANGUAGE: 'accept-language',
106106
HTTP2_HEADER_ACCEPT_RANGES: 'accept-ranges',
107107
HTTP2_HEADER_ACCEPT: 'accept',
108+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'access-control-allow-credentials', // eslint-disable-line max-len
109+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_HEADERS: 'access-control-allow-headers',
110+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_METHODS: 'access-control-allow-methods',
108111
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN: 'access-control-allow-origin',
112+
HTTP2_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS: 'access-control-expose-headers',
113+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE: 'access-control-max-age',
114+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_HEADERS: 'access-control-request-headers',
115+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD: 'access-control-request-method',
109116
HTTP2_HEADER_AGE: 'age',
110117
HTTP2_HEADER_ALLOW: 'allow',
111118
HTTP2_HEADER_AUTHORIZATION: 'authorization',
@@ -119,9 +126,11 @@ const expectedHeaderNames = {
119126
HTTP2_HEADER_CONTENT_TYPE: 'content-type',
120127
HTTP2_HEADER_COOKIE: 'cookie',
121128
HTTP2_HEADER_CONNECTION: 'connection',
129+
HTTP2_HEADER_DNT: 'dnt',
122130
HTTP2_HEADER_ETAG: 'etag',
123131
HTTP2_HEADER_EXPECT: 'expect',
124132
HTTP2_HEADER_EXPIRES: 'expires',
133+
HTTP2_HEADER_FORWARDED: 'forwarded',
125134
HTTP2_HEADER_FROM: 'from',
126135
HTTP2_HEADER_HOST: 'host',
127136
HTTP2_HEADER_IF_MATCH: 'if-match',
@@ -144,11 +153,17 @@ const expectedHeaderNames = {
144153
HTTP2_HEADER_SERVER: 'server',
145154
HTTP2_HEADER_SET_COOKIE: 'set-cookie',
146155
HTTP2_HEADER_STRICT_TRANSPORT_SECURITY: 'strict-transport-security',
156+
HTTP2_HEADER_TRAILER: 'trailer',
147157
HTTP2_HEADER_TRANSFER_ENCODING: 'transfer-encoding',
158+
HTTP2_HEADER_TK: 'tk',
159+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS: 'upgrade-insecure-requests',
148160
HTTP2_HEADER_USER_AGENT: 'user-agent',
149161
HTTP2_HEADER_VARY: 'vary',
150162
HTTP2_HEADER_VIA: 'via',
163+
HTTP2_HEADER_WARNING: 'warning',
151164
HTTP2_HEADER_WWW_AUTHENTICATE: 'www-authenticate',
165+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS: 'x-content-type-options',
166+
HTTP2_HEADER_X_FRAME_OPTIONS: 'x-frame-options',
152167
HTTP2_HEADER_KEEP_ALIVE: 'keep-alive',
153168
HTTP2_HEADER_CONTENT_MD5: 'content-md5',
154169
HTTP2_HEADER_TE: 'te',

test/parallel/test-http2-util-headers-list.js

Lines changed: 34 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,9 @@ const {
1414
HTTP2_HEADER_AUTHORITY,
1515
HTTP2_HEADER_SCHEME,
1616
HTTP2_HEADER_PATH,
17+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
18+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE,
19+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD,
1720
HTTP2_HEADER_AGE,
1821
HTTP2_HEADER_AUTHORIZATION,
1922
HTTP2_HEADER_CONTENT_ENCODING,
@@ -24,6 +27,7 @@ const {
2427
HTTP2_HEADER_CONTENT_RANGE,
2528
HTTP2_HEADER_CONTENT_TYPE,
2629
HTTP2_HEADER_DATE,
30+
HTTP2_HEADER_DNT,
2731
HTTP2_HEADER_ETAG,
2832
HTTP2_HEADER_EXPIRES,
2933
HTTP2_HEADER_FROM,
@@ -33,34 +37,46 @@ const {
3337
HTTP2_HEADER_IF_RANGE,
3438
HTTP2_HEADER_IF_UNMODIFIED_SINCE,
3539
HTTP2_HEADER_LAST_MODIFIED,
40+
HTTP2_HEADER_LOCATION,
3641
HTTP2_HEADER_MAX_FORWARDS,
3742
HTTP2_HEADER_PROXY_AUTHORIZATION,
3843
HTTP2_HEADER_RANGE,
3944
HTTP2_HEADER_REFERER,
4045
HTTP2_HEADER_RETRY_AFTER,
46+
HTTP2_HEADER_TK,
47+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS,
4148
HTTP2_HEADER_USER_AGENT,
49+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS,
4250

4351
HTTP2_HEADER_ACCEPT_CHARSET,
4452
HTTP2_HEADER_ACCEPT_ENCODING,
4553
HTTP2_HEADER_ACCEPT_LANGUAGE,
4654
HTTP2_HEADER_ACCEPT_RANGES,
4755
HTTP2_HEADER_ACCEPT,
56+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_HEADERS,
57+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_METHODS,
4858
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
59+
HTTP2_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS,
60+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_HEADERS,
4961
HTTP2_HEADER_ALLOW,
5062
HTTP2_HEADER_CACHE_CONTROL,
5163
HTTP2_HEADER_CONTENT_DISPOSITION,
5264
HTTP2_HEADER_COOKIE,
5365
HTTP2_HEADER_EXPECT,
66+
HTTP2_HEADER_FORWARDED,
5467
HTTP2_HEADER_LINK,
5568
HTTP2_HEADER_PREFER,
5669
HTTP2_HEADER_PROXY_AUTHENTICATE,
5770
HTTP2_HEADER_REFRESH,
5871
HTTP2_HEADER_SERVER,
5972
HTTP2_HEADER_SET_COOKIE,
6073
HTTP2_HEADER_STRICT_TRANSPORT_SECURITY,
74+
HTTP2_HEADER_TRAILER,
6175
HTTP2_HEADER_VARY,
6276
HTTP2_HEADER_VIA,
77+
HTTP2_HEADER_WARNING,
6378
HTTP2_HEADER_WWW_AUTHENTICATE,
79+
HTTP2_HEADER_X_FRAME_OPTIONS,
6480

6581
HTTP2_HEADER_CONNECTION,
6682
HTTP2_HEADER_UPGRADE,
@@ -145,6 +161,9 @@ const {
145161
HTTP2_HEADER_AUTHORITY,
146162
HTTP2_HEADER_SCHEME,
147163
HTTP2_HEADER_PATH,
164+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
165+
HTTP2_HEADER_ACCESS_CONTROL_MAX_AGE,
166+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_METHOD,
148167
HTTP2_HEADER_AGE,
149168
HTTP2_HEADER_AUTHORIZATION,
150169
HTTP2_HEADER_CONTENT_ENCODING,
@@ -155,6 +174,7 @@ const {
155174
HTTP2_HEADER_CONTENT_RANGE,
156175
HTTP2_HEADER_CONTENT_TYPE,
157176
HTTP2_HEADER_DATE,
177+
HTTP2_HEADER_DNT,
158178
HTTP2_HEADER_ETAG,
159179
HTTP2_HEADER_EXPIRES,
160180
HTTP2_HEADER_FROM,
@@ -164,12 +184,16 @@ const {
164184
HTTP2_HEADER_IF_RANGE,
165185
HTTP2_HEADER_IF_UNMODIFIED_SINCE,
166186
HTTP2_HEADER_LAST_MODIFIED,
187+
HTTP2_HEADER_LOCATION,
167188
HTTP2_HEADER_MAX_FORWARDS,
168189
HTTP2_HEADER_PROXY_AUTHORIZATION,
169190
HTTP2_HEADER_RANGE,
170191
HTTP2_HEADER_REFERER,
171192
HTTP2_HEADER_RETRY_AFTER,
172-
HTTP2_HEADER_USER_AGENT
193+
HTTP2_HEADER_TK,
194+
HTTP2_HEADER_UPGRADE_INSECURE_REQUESTS,
195+
HTTP2_HEADER_USER_AGENT,
196+
HTTP2_HEADER_X_CONTENT_TYPE_OPTIONS
173197
].forEach((name) => {
174198
const msg = `Header field "${name}" must have only a single value`;
175199
common.expectsError({
@@ -184,22 +208,30 @@ const {
184208
HTTP2_HEADER_ACCEPT_LANGUAGE,
185209
HTTP2_HEADER_ACCEPT_RANGES,
186210
HTTP2_HEADER_ACCEPT,
211+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_HEADERS,
212+
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_METHODS,
187213
HTTP2_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
214+
HTTP2_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS,
215+
HTTP2_HEADER_ACCESS_CONTROL_REQUEST_HEADERS,
188216
HTTP2_HEADER_ALLOW,
189217
HTTP2_HEADER_CACHE_CONTROL,
190218
HTTP2_HEADER_CONTENT_DISPOSITION,
191219
HTTP2_HEADER_COOKIE,
192220
HTTP2_HEADER_EXPECT,
221+
HTTP2_HEADER_FORWARDED,
193222
HTTP2_HEADER_LINK,
194223
HTTP2_HEADER_PREFER,
195224
HTTP2_HEADER_PROXY_AUTHENTICATE,
196225
HTTP2_HEADER_REFRESH,
197226
HTTP2_HEADER_SERVER,
198227
HTTP2_HEADER_SET_COOKIE,
199228
HTTP2_HEADER_STRICT_TRANSPORT_SECURITY,
229+
HTTP2_HEADER_TRAILER,
200230
HTTP2_HEADER_VARY,
201231
HTTP2_HEADER_VIA,
202-
HTTP2_HEADER_WWW_AUTHENTICATE
232+
HTTP2_HEADER_WARNING,
233+
HTTP2_HEADER_WWW_AUTHENTICATE,
234+
HTTP2_HEADER_X_FRAME_OPTIONS
203235
].forEach((name) => {
204236
assert(!(mapToHeaders({ [name]: [1, 2, 3] }) instanceof Error), name);
205237
});

0 commit comments

Comments
 (0)