1

Need a deeper understanding on this topic.

I tried to lookup for specific reasons in documentations for the restricted headers but couldn't find one.

Here is a list of restricted headers:

Accept-Charset Accept-Encoding Access-Control-Request-Headers Access-Control-Request-Method Connection Content-Length Cookie Cookie2 Date DNT Expect Host Keep-Alive Origin Referer TE Trailer Transfer-Encoding Upgrade Via

refer: http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/31bc1a681b51/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java#l186

To override these it is required to set sun.net.http.allowrestrictedheaders to true at JVM startup or use System.setProperty("sun.net.http.allowRestrictedHeaders", "true")

It is said that it has been disabled as part of a security-fix.

I want to understand what security risk might have pulled up and how was making headers forbidden to use was a solution to that, keeping in mind you still can override the headers.

links to refer:

https://fetch.spec.whatwg.org/#forbidden-header-name

Why does Content-Length HTTP header field use a value other than the one given in Java code?

Can I override the Host header where using java's HttpUrlConnection class?

Pranay Nailwal
  • 483
  • 6
  • 13

1 Answers1

1

The first link says in a note (green text):

These are forbidden so the user agent remains in full control over them

It's to prevent spoofing by malicious javascript code in Web Browsers.

Since the Java code is not a Web Browser, only some of them are restricted in Java, as the link to the source code shows.

The headers that are still restricted are controlled directly by the HttpURLConnection class, and there should be no need to spoof the values, so leaving them restricted should not be an issue.

Andreas
  • 154,647
  • 11
  • 152
  • 247