From 0f739dbc483a1f091977cbe575c3862fd39f8cf1 Mon Sep 17 00:00:00 2001 From: Amr Bashir Date: Thu, 30 May 2024 22:09:32 +0300 Subject: [PATCH] feat(http): allow setting `origin` for unsafe headers (#1392) * feat(http): allow setting `origin` for unsafe headers closes #1389 * clippy * Update .changes/http-origin-unsafe.md Co-authored-by: Lucas Fernandes Nogueira * Update commands.rs * set origin not full url --------- Co-authored-by: Lucas Fernandes Nogueira --- .changes/http-origin-unsafe.md | 6 ++++ plugins/http/src/commands.rs | 63 +++++++++++++++++++++------------- 2 files changed, 45 insertions(+), 24 deletions(-) create mode 100644 .changes/http-origin-unsafe.md diff --git a/.changes/http-origin-unsafe.md b/.changes/http-origin-unsafe.md new file mode 100644 index 00000000..b2b4fef6 --- /dev/null +++ b/.changes/http-origin-unsafe.md @@ -0,0 +1,6 @@ +--- +"http": "patch" +"http-js": "patch" +--- + +Allow setting `Origin` header when `unsafe-headers` feature flag is active. diff --git a/plugins/http/src/commands.rs b/plugins/http/src/commands.rs index 4f89f1fe..5c895ebc 100644 --- a/plugins/http/src/commands.rs +++ b/plugins/http/src/commands.rs @@ -201,29 +201,7 @@ pub async fn fetch( for (name, value) in &headers { let name = HeaderName::from_bytes(name.as_bytes())?; #[cfg(not(feature = "unsafe-headers"))] - if matches!( - name, - // forbidden headers per fetch spec https://fetch.spec.whatwg.org/#terminology-headers - header::ACCEPT_CHARSET - | header::ACCEPT_ENCODING - | header::ACCESS_CONTROL_REQUEST_HEADERS - | header::ACCESS_CONTROL_REQUEST_METHOD - | header::CONNECTION - | header::CONTENT_LENGTH - | header::COOKIE - | header::DATE - | header::DNT - | header::EXPECT - | header::HOST - | header::ORIGIN - | header::REFERER - | header::SET_COOKIE - | header::TE - | header::TRAILER - | header::TRANSFER_ENCODING - | header::UPGRADE - | header::VIA - ) { + if is_unsafe_header(&name) { continue; } @@ -246,7 +224,14 @@ pub async fn fetch( request = request.header(header::USER_AGENT, "tauri-plugin-http"); } - request = request.header(header::ORIGIN, webview.url()?.as_str()); + if !(cfg!(feature = "unsafe-headers") + && headers.contains_key(header::ORIGIN.as_str())) + { + if let Ok(url) = webview.url() { + request = + request.header(header::ORIGIN, url.origin().ascii_serialization()); + } + } if let Some(data) = data { request = request.body(data); @@ -343,3 +328,33 @@ pub(crate) async fn fetch_read_body( let res = Arc::into_inner(res).unwrap().0; Ok(tauri::ipc::Response::new(res.bytes().await?.to_vec())) } + +// forbidden headers per fetch spec https://fetch.spec.whatwg.org/#terminology-headers +#[cfg(not(feature = "unsafe-headers"))] +fn is_unsafe_header(header: &HeaderName) -> bool { + matches!( + *header, + header::ACCEPT_CHARSET + | header::ACCEPT_ENCODING + | header::ACCESS_CONTROL_REQUEST_HEADERS + | header::ACCESS_CONTROL_REQUEST_METHOD + | header::CONNECTION + | header::CONTENT_LENGTH + | header::COOKIE + | header::DATE + | header::DNT + | header::EXPECT + | header::HOST + | header::ORIGIN + | header::REFERER + | header::SET_COOKIE + | header::TE + | header::TRAILER + | header::TRANSFER_ENCODING + | header::UPGRADE + | header::VIA + ) || { + let lower = header.as_str().to_lowercase(); + lower.starts_with("proxy-") || lower.starts_with("sec-") + } +}