Check not to have TE or Proxy-Authorization in config.ForwardedRequestHeaders (#312)

TE is a hop-by-hop request header and must not be forwarded.

Proxy-Authorization can be forwarded per rfc7235#section-4.4 but
remove it to mitigate the risk of over-signing.

Author: shigeki

packager/util/config_test.go

@@ -115,6 +115,18 @@ func TestForwardedRequestHeadersHaveDisallowedHeader(t *testing.T) {
 	`))), "ForwardedRequestHeaders must not include request header of via")
 }
 
+func TestForwardedRequestHeadersHaveTE(t *testing.T) {
+	assert.Contains(t, errorFrom(ReadConfig([]byte(`
+		CertFile = "cert.pem"
+		KeyFile = "key.pem"
+		OCSPCache = "/tmp/ocsp"
+		ForwardedRequestHeaders = ["X-Foo", "X-Bar", "TE"]
+		[[URLSet]]
+		  [URLSet.Sign]
+		    Domain = "example.com"
+	`))), "ForwardedRequestHeaders must not include request header of TE")
+}
+
 func TestOCSPDirDoesntExist(t *testing.T) {
 	assert.Contains(t, errorFrom(ReadConfig([]byte(`
 		CertFile = "cert.pem"

packager/util/http.go

@@ -44,7 +44,12 @@ var legacyHeaders = map[string]bool{
 
 // Via is implicitly forwarded and disallowed to be included in
 // config.ForwardedRequestHeaders
+// TE is a hop-by-hop request header and must not be forwarded.
+// Proxy-Authorization can be forwarded per rfc7235#section-4.4 but
+// remove it to mitigate the risk of over-signing.
 var notForwardedRequestHeader = map[string]bool{
+	"Proxy-Authorization": true,
+	"Te": true,
 	"Via": true,
 }