fixes bug 302489 "XMLHTTP TRACE method can reveal proxy passwords to web sites" r=jst sr=dveditz a=asa

content/base/src/nsXMLHttpRequest.cpp

@@ -877,6 +877,11 @@ nsXMLHttpRequest::OpenRequest(const nsACString& method,
   NS_ENSURE_ARG(!method.IsEmpty());
   NS_ENSURE_ARG(!url.IsEmpty());
 
+  // Disallow HTTP/1.1 TRACE method (see bug 302489).
+  if (method.LowerCaseEqualsASCII("trace")) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
   nsresult rv;
   nsCOMPtr<nsIURI> uri;
   PRBool authp = PR_FALSE;