From d6c2528e9e9680999ec97cccb640b1f7200565c8 Mon Sep 17 00:00:00 2001
From: "darin%meer.net" <darin%meer.net>
Date: Thu, 20 Apr 2006 03:39:38 +0000
Subject: [PATCH] fixes bug 302489 "XMLHTTP TRACE method can reveal proxy
 passwords to web sites" r=jst sr=dveditz a=asa

---
 content/base/src/nsXMLHttpRequest.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
index 46600f8e068..63d6638c907 100644
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -877,6 +877,11 @@ nsXMLHttpRequest::OpenRequest(const nsACString& method,
   NS_ENSURE_ARG(!method.IsEmpty());
   NS_ENSURE_ARG(!url.IsEmpty());
 
+  // Disallow HTTP/1.1 TRACE method (see bug 302489).
+  if (method.LowerCaseEqualsASCII("trace")) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
   nsresult rv;
   nsCOMPtr<nsIURI> uri;
   PRBool authp = PR_FALSE;