wasi-http: don't send forbidden headers#136
Conversation
the set of FORBIDDEN_HEADERS is derived from wasmtime, with the addition of Content-Length, and Expect.
|
Oh hah, the algorithm is documented here: https://fetch.spec.whatwg.org/#forbidden-request-header. That was easier to find than expected. I think we should probably just adopt this? |
|
By the way, we might even want to upstream this to |
|
Yes, whatwg has published that spec of forbidden headers. The trouble with adopting that list wholesale is that several of those restrictions are Web-platform specific and would be harmful to forbid in a proxy setting, specifically I don't really know one way or another whether the CORS Access-Control- headers, or the Proxy- and Sec-, should be forbidden or not. We also need a way to set |

Everyone agrees wasi shouldnt use forbidden headers, but nobody agrees on what they are (yet) WebAssembly/WASI#940.
This PR takes the default wasmtime set, and adds Content-Length and Expect as forbidden headers. Because
HeaderMapdoesn't provide us a mechanism to forbid headers, we instead just silently drop any of the known forbidden headers when translating to a wasifieldsresource.The set of forbidden headers is:
Since this is a pretty significant behavioral change, we will bump the version to 0.7.0 for the next release after this lands.