[tor-commits] [meek/master] Set some safety defaults for fetch.

[dcf at torproject.org]

commit c9839e85b66793b6209abf820c2cda8c07ee2157
Author: David Fifield <david at bamsoftware.com>
Date:   Fri Feb 15 14:29:54 2019 -0700

    Set some safety defaults for fetch.
    
    cache: "no-store"
    credentials: "omit"
    redirect: "manual"
    
    cache: "no-store" adds these headers, which seem fine:
    Cache-Control: no-cache
    Pragma: no-cache
---
 webextension/background.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/webextension/background.js b/webextension/background.js
index ba56e7f..fd39273 100644
--- a/webextension/background.js
+++ b/webextension/background.js
@@ -83,6 +83,7 @@ function roundtrip(id, request) {
     // Process the incoming request spec and convert it into parameters to the
     // fetch API. Also enforce some restrictions on what kinds of requests we
     // are willing to make.
+    // https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch#Parameters
     let url;
     let init = {};
     try {
@@ -107,6 +108,13 @@ function roundtrip(id, request) {
             init.body = base64_decode(request.body);
         }
 
+        // Do not read nor write from the browser's HTTP cache.
+        init.cache = "no-store";
+        // Don't send cookies.
+        init.credentials = "omit";
+        // Don't follow redirects (we'll get resp.status:0 if there is one).
+        init.redirect = "manual";
+
         // TODO: Host header
         // TODO: strip Origin header?
         // TODO: proxy