fix: Limit Access-Control-Request-Headers to unsafe headers only (#53)

Author: nzakas

src/cors.js

@@ -391,6 +391,44 @@ export function validateCorsRequest(request, origin) {
 	}
 }
 
+/**
+ * Gets an array of headers that are not allowed in a CORS simple request.
+ * @param {Request} request The request to check.
+ * @returns {string[]} Array of header names that are not simple headers.
+ */
+export function getNonSimpleHeaders(request) {
+    const result = [];
+    const headers = request.headers;
+
+    for (const header of headers.keys()) {
+        
+        // Range header needs special validation
+        if (header === "range") {
+            const rangeValue = headers.get(header);
+            if (rangeValue && !isSimpleRangeHeader(rangeValue)) {
+                result.push(header);
+            }
+            continue;
+        }
+
+        // Content-Type header needs special validation
+        if (header === "content-type") {
+            const contentType = headers.get(header);
+            if (contentType && !simpleRequestContentTypes.has(contentType)) {
+                result.push(header);
+            }
+            continue;
+        }
+
+        // Check if header is in the safe list
+        if (!safeRequestHeaders.has(header)) {
+            result.push(header);
+        }
+    }
+
+    return result;
+}
+
 /**
  * A class for storing CORS preflight data.
  */

src/fetch-mocker.js

@@ -18,6 +18,7 @@ import {
 	CORS_REQUEST_HEADERS,
 	CORS_ORIGIN,
 	CorsError,
+	getNonSimpleHeaders,
 } from "./cors.js";
 import { createCustomRequest } from "./custom-request.js";
 
@@ -349,21 +350,34 @@ export class FetchMocker {
 	 * @param {Request} request The request to create a preflight request for.
 	 * @returns {Request} The preflight request.
 	 * @throws {Error} When there is no base URL.
+	 * @see https://fetch.spec.whatwg.org/#cors-preflight-fetch
 	 */
 	#createPreflightRequest(request) {
 		if (!this.#baseUrl) {
 			throw new Error(
 				"Cannot create preflight request without a base URL.",
 			);
 		}
+		
+		const nonsimpleHeaders = getNonSimpleHeaders(request);
+		
+		/** @type {Record<string,string>} */
+		const headers = {
+			Accept: "*/*",
+			[CORS_REQUEST_METHOD]: request.method,
+			[CORS_ORIGIN]: this.#baseUrl.origin,
+		};
+		
+		if (nonsimpleHeaders.length > 0) {
+			headers[CORS_REQUEST_HEADERS] = nonsimpleHeaders.join(",");
+		}
 
 		return new this.#Request(request.url, {
 			method: "OPTIONS",
-			headers: {
-				[CORS_REQUEST_METHOD]: request.method,
-				[CORS_REQUEST_HEADERS]: [...request.headers.keys()].join(","),
-				[CORS_ORIGIN]: this.#baseUrl.origin,
-			},
+			headers,
+			mode: "cors",
+			referrer: request.referrer,
+			referrerPolicy: request.referrerPolicy,
 		});
 	}
 

tests/cors.test.js

@@ -9,7 +9,7 @@
 //-----------------------------------------------------------------------------
 
 import assert from "node:assert";
-import { isCorsSimpleRequest } from "../src/cors.js";
+import { isCorsSimpleRequest, getNonSimpleHeaders } from "../src/cors.js";
 
 //-----------------------------------------------------------------------------
 // Tests
@@ -175,4 +175,80 @@ describe("http", () => {
 			});
 		});
 	});
+	
+	describe("getNonSimpleHeaders()", () => {
+		it("should return empty array for request with no headers", () => {
+			const request = new Request("https://example.com");
+			assert.deepStrictEqual(getNonSimpleHeaders(request), []);
+		});
+
+		it("should return empty array for request with only simple headers", () => {
+			const headers = new Headers({
+				Accept: "application/json",
+				"Accept-Language": "en-US",
+				"Content-Language": "en-US"
+			});
+			const request = new Request("https://example.com", { headers });
+			assert.deepStrictEqual(getNonSimpleHeaders(request), []);
+		});
+
+		it("should return array containing non-simple headers", () => {
+			const headers = new Headers({
+				Accept: "application/json",
+				Authorization: "Bearer token",
+				"X-Custom-Header": "value"
+			});
+			const request = new Request("https://example.com", { headers });
+			assert.deepStrictEqual(
+				getNonSimpleHeaders(request),
+				["authorization", "x-custom-header"]
+			);
+		});
+
+		it("should identify non-simple content-type header", () => {
+			const headers = new Headers({
+				"Content-Type": "application/json"
+			});
+			const request = new Request("https://example.com", { headers });
+			assert.deepStrictEqual(getNonSimpleHeaders(request), ["content-type"]);
+		});
+
+		it("should not include simple content-type header", () => {
+			const headers = new Headers({
+				"Content-Type": "text/plain"
+			});
+			const request = new Request("https://example.com", { headers });
+			assert.deepStrictEqual(getNonSimpleHeaders(request), []);
+		});
+
+		it("should identify invalid range header", () => {
+			const headers = new Headers({
+				Range: "bytes=0-1024,2048-3072"
+			});
+			const request = new Request("https://example.com", { headers });
+			assert.deepStrictEqual(getNonSimpleHeaders(request), ["range"]);
+		});
+
+		it("should not include valid range header", () => {
+			const headers = new Headers({
+				Range: "bytes=0-1024"
+			});
+			const request = new Request("https://example.com", { headers });
+			assert.deepStrictEqual(getNonSimpleHeaders(request), []);
+		});
+
+		it("should identify multiple non-simple headers", () => {
+			const headers = new Headers({
+				Authorization: "Bearer token",
+				"Content-Type": "application/json",
+				Range: "bytes=0-1024,2048-3072",
+				"X-Custom-Header": "value"
+			});
+			const request = new Request("https://example.com", { headers });
+			assert.deepStrictEqual(
+				getNonSimpleHeaders(request),
+				["authorization", "content-type", "range", "x-custom-header"]
+			);
+		});
+	});
 });