Allow forbidden header mutation after Request/Response construction

mrbbot · mrbbot · commit 8b6b35b35b93 · 2021-12-06T21:31:09.000Z
Ref: cloudflare/workers-sdk#59
diff --git a/packages/core/src/standards/http.ts b/packages/core/src/standards/http.ts
@@ -101,6 +101,10 @@ export class Body<Inner extends BaseRequest | BaseResponse> {
   #inputGatedBody?: ReadableStream;
 
   constructor(inner: Inner) {
+    // Allow forbidden header mutation after construction
+    // @ts-expect-error internal kGuard isn't included in type definitions
+    inner.headers[fetchSymbols.kGuard] = "none";
+
     this[kInner] = inner;
 
     makeEnumerable(Body.prototype, this, enumerableBodyKeys);
diff --git a/packages/core/test/standards/http.spec.ts b/packages/core/test/standards/http.spec.ts
@@ -367,10 +367,10 @@ test("Request: clone retains form data file parsing option", async (t) => {
   t.is(resFormData.get("file"), "test");
 });
 test("Request: Object.keys() returns getters", async (t) => {
-  const res = new Request("http://localhost", {
+  const req = new Request("http://localhost", {
     headers: { "X-Key": "value " },
   });
-  const keys = Object.keys(res);
+  const keys = Object.keys(req);
   const expectedKeys = [
     "body",
     "bodyUsed",
@@ -383,6 +383,45 @@ test("Request: Object.keys() returns getters", async (t) => {
   ];
   t.deepEqual(keys.sort(), expectedKeys.sort());
 });
+test("Request: can mutate forbidden headers after construction", async (t) => {
+  // From https://github.com/nodejs/undici/blob/cd566ccf65c18b8405793a752247f3e350a50fcf/lib/fetch/constants.js#L3-L24
+  const forbiddenHeaderNames = [
+    "accept-charset",
+    "accept-encoding",
+    "access-control-request-headers",
+    "access-control-request-method",
+    "connection",
+    "content-length",
+    "cookie",
+    "cookie2",
+    "date",
+    "dnt",
+    "expect",
+    "host",
+    "keep-alive",
+    "origin",
+    "referer",
+    "te",
+    "trailer",
+    "transfer-encoding",
+    "upgrade",
+    "via",
+  ];
+
+  const req = new Request("http://localhost");
+  for (const header of forbiddenHeaderNames) {
+    req.headers.set(header, "value");
+    t.is(req.headers.get(header), "value");
+  }
+
+  // Check this still works on a clone
+  const req2 = req.clone();
+  for (const header of forbiddenHeaderNames) {
+    t.is(req2.headers.get(header), "value");
+    req2.headers.set(header, "value2");
+    t.is(req2.headers.get(header), "value2");
+  }
+});
 
 test("withImmutableHeaders: makes Request's headers immutable", (t) => {
   const req = new Request("http://localhost");
@@ -570,6 +609,24 @@ test("Response: Object.keys() returns getters", async (t) => {
   ];
   t.deepEqual(keys.sort(), expectedKeys.sort());
 });
+test("Response: can mutate forbidden headers after construction", async (t) => {
+  // From https://github.com/nodejs/undici/blob/cd566ccf65c18b8405793a752247f3e350a50fcf/lib/fetch/constants.js#L61
+  const forbiddenResponseHeaderNames = ["set-cookie", "set-cookie2"];
+
+  const res = new Response("body");
+  for (const header of forbiddenResponseHeaderNames) {
+    res.headers.set(header, "value");
+    t.is(res.headers.get(header), "value");
+  }
+
+  // Check this still works on a clone
+  const res2 = res.clone();
+  for (const header of forbiddenResponseHeaderNames) {
+    t.is(res2.headers.get(header), "value");
+    res2.headers.set(header, "value2");
+    t.is(res2.headers.get(header), "value2");
+  }
+});
 
 test("withWaitUntil: adds wait until to (Base)Response", async (t) => {
   const waitUntil = [1];
