8350991: Improve HTTP client header handling

Reviewed-by: mbalao, andrew
Backport-of: 3b0f6ebdf8dbaf0caf9a9ec1f201d5938f674021

Author: Alexey Bakhtin

src/java.net.http/share/classes/jdk/internal/net/http/HttpRequestImpl.java

@@ -41,6 +41,7 @@
 import java.net.http.HttpClient;
 import java.net.http.HttpHeaders;
 import java.net.http.HttpRequest;
+import java.util.function.BiPredicate;
 
 import jdk.internal.net.http.common.HttpHeadersBuilder;
 import jdk.internal.net.http.common.Utils;
@@ -148,7 +149,11 @@ public static HttpRequestImpl newInstanceForRedirection(URI uri,
                                                             String method,
                                                             HttpRequestImpl other,
                                                             boolean mayHaveBody) {
-        return new HttpRequestImpl(uri, method, other, mayHaveBody);
+        if (uri.getScheme().equalsIgnoreCase(other.uri.getScheme()) &&
+                uri.getRawAuthority().equals(other.uri.getRawAuthority())) {
+            return new HttpRequestImpl(uri, method, other, mayHaveBody, Optional.empty());
+        }
+        return new HttpRequestImpl(uri, method, other, mayHaveBody, Optional.of(Utils.ALLOWED_REDIRECT_HEADERS));
     }
 
     /** Returns a new instance suitable for authentication. */
@@ -168,9 +173,19 @@ private HttpRequestImpl(URI uri,
                             String method,
                             HttpRequestImpl other,
                             boolean mayHaveBody) {
+        this(uri, method, other, mayHaveBody, Optional.empty());
+    }
+
+    private HttpRequestImpl(URI uri,
+                            String method,
+                            HttpRequestImpl other,
+                            boolean mayHaveBody,
+                            Optional<BiPredicate<String, String>> redirectHeadersFilter) {
         assert method == null || Utils.isValidName(method);
-        this.method = method == null? "GET" : method;
-        this.userHeaders = other.userHeaders;
+        this.method = method == null ? "GET" : method;
+        HttpHeaders userHeaders = redirectHeadersFilter.isPresent() ?
+                HttpHeaders.of(other.userHeaders.map(), redirectHeadersFilter.get()) : other.userHeaders;
+        this.userHeaders = userHeaders;
         this.isWebSocket = other.isWebSocket;
         this.systemHeadersBuilder = new HttpHeadersBuilder();
         if (!userHeaders.firstValue("User-Agent").isPresent()) {

src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java

@@ -152,6 +152,18 @@ private static Set<String> getDisallowedHeaders() {
     public static final BiPredicate<String, String>
             ALLOWED_HEADERS = (header, unused) -> !DISALLOWED_HEADERS_SET.contains(header);
 
+    private static final Set<String> DISALLOWED_REDIRECT_HEADERS_SET = getDisallowedRedirectHeaders();
+
+    private static Set<String> getDisallowedRedirectHeaders() {
+        Set<String> headers = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+        headers.addAll(Set.of("Authorization", "Cookie", "Origin", "Referer", "Host"));
+
+        return Collections.unmodifiableSet(headers);
+    }
+
+    public static final BiPredicate<String, String>
+            ALLOWED_REDIRECT_HEADERS = (header, unused) -> !DISALLOWED_REDIRECT_HEADERS_SET.contains(header);
+
     public static final BiPredicate<String, String> VALIDATE_USER_HEADER =
             (name, value) -> {
                 assert name != null : "null header name";

test/jdk/java/net/httpclient/DigestEchoClient.java

@@ -264,8 +264,9 @@ public static void main(String[] args) throws Exception {
         }
         try {
             for (DigestEchoServer.HttpAuthType authType : types) {
-                // The test server does not support PROXY305 properly
-                if (authType == DigestEchoServer.HttpAuthType.PROXY305) continue;
+                // The test server does not support PROXY305 or SERVER307 properly
+                if (authType == DigestEchoServer.HttpAuthType.PROXY305 ||
+                    authType == DigestEchoServer.HttpAuthType.SERVER307) continue;
                 EnumSet<DigestEchoServer.HttpAuthSchemeType> basics =
                         EnumSet.of(DigestEchoServer.HttpAuthSchemeType.BASICSERVER,
                                 DigestEchoServer.HttpAuthSchemeType.BASIC);