feat(http) add unsafe-headers feature flag (#1050)

* [http] add unsafe-headers feature flag * change file * fmt
1 year ago · 753c7be0a6
parent bff722451d
commit 753c7be0a6
4 changed files with 40 additions and 31 deletions
--- a/.changes/http-unsafe-headers.md
+++ b/.changes/http-unsafe-headers.md
@ -0,0 +1,5 @@
+---
+"http": patch
+---
+
+Add `unsafe-headers` cargo feature flag to allow using [forbidden headers](https://fetch.spec.whatwg.org/#terminology-headers). 
--- a/Cargo.lock
+++ b/Cargo.lock
@ -230,7 +230,7 @@ checksum = "5ad32ce52e4161730f7098c077cd2ed6229b5804ccf99e5366be1ab72a98b4e1"

 [[package]]
 name = "api"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "log",
 "serde",
@ -6401,7 +6401,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-authenticator"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "authenticator",
 "base64 0.21.7",
@ -6423,7 +6423,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-autostart"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "auto-launch",
 "log",
@ -6436,7 +6436,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-barcode-scanner"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "log",
 "serde",
@ -6448,7 +6448,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-biometric"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "log",
 "serde",
@ -6461,7 +6461,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-cli"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "clap",
 "log",
@ -6474,7 +6474,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-clipboard-manager"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "arboard",
 "log",
@ -6487,7 +6487,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-deep-link"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "log",
 "serde",
@ -6500,7 +6500,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-dialog"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "glib 0.16.9",
 "log",
@ -6516,7 +6516,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-fs"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "anyhow",
 "glob",
@ -6535,7 +6535,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-global-shortcut"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "global-hotkey",
 "log",
@ -6548,7 +6548,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-http"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "data-url",
 "http 0.2.11",
@ -6567,7 +6567,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-localhost"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "http 1.0.0",
 "log",
@ -6580,7 +6580,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-log"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "android_logger",
 "byte-unit",
@ -6599,7 +6599,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-nfc"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "log",
 "serde",
@ -6612,7 +6612,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-notification"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "chrono",
 "color-backtrace",
@ -6640,7 +6640,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-os"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "gethostname",
 "log",
@ -6656,7 +6656,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-persisted-scope"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "aho-corasick",
 "bincode",
@ -6670,7 +6670,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-positioner"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "log",
 "serde",
@ -6683,7 +6683,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-process"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "tauri",
 "tauri-plugin",
@ -6691,7 +6691,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-shell"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "encoding_rs",
 "log",
@ -6709,7 +6709,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-single-instance"
-version = "2.0.0-beta.2"
+version = "2.0.0-beta.3"
 dependencies = [
 "log",
 "serde",
@ -6722,7 +6722,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-sql"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "futures-core",
 "log",
@ -6738,7 +6738,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-store"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.3"
 dependencies = [
 "log",
 "serde",
@ -6750,7 +6750,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-stronghold"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "hex",
 "iota-crypto 0.23.1",
@ -6771,7 +6771,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-updater"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "base64 0.21.7",
 "dirs-next",
@ -6798,7 +6798,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-upload"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "futures-util",
 "log",
@ -6815,7 +6815,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-websocket"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "futures-util",
 "http 1.0.0",
@ -6832,7 +6832,7 @@ dependencies = [

 [[package]]
 name = "tauri-plugin-window-state"
-version = "2.0.0-beta.1"
+version = "2.0.0-beta.2"
 dependencies = [
 "bincode",
 "bitflags 2.4.2",
--- a/plugins/http/Cargo.toml
+++ b/plugins/http/Cargo.toml
@ -53,3 +53,4 @@ deflate = [ "reqwest/deflate" ]
 trust-dns = [ "reqwest/trust-dns" ]
 socks = [ "reqwest/socks" ]
 http3 = [ "reqwest/http3" ]
+unsafe-headers = []
--- a/plugins/http/src/commands.rs
+++ b/plugins/http/src/commands.rs
@ -195,7 +195,8 @@ pub async fn fetch<R: Runtime>(
                for (name, value) in &headers {
                    let name = HeaderName::from_bytes(name.as_bytes())?;
                    let value = HeaderValue::from_bytes(value.as_bytes())?;
-                    if !matches!(
+                    #[cfg(not(feature = "unsafe-headers"))]
+                    if matches!(
                        name,
                        // forbidden headers per fetch spec https://fetch.spec.whatwg.org/#terminology-headers
                        header::ACCEPT_CHARSET
@ -218,8 +219,10 @@ pub async fn fetch<R: Runtime>(
                            | header::UPGRADE
                            | header::VIA
                    ) {
-                        request = request.header(name, value);
+                        continue;
                    }
+
+                    request = request.header(name, value);
                }

                // POST and PUT requests should always have a 0 length content-length,