Skip to content

fix(fetch): reject forbidden HTTP methods CONNECT, TRACE, and TRACK#5203

Merged
jedel1043 merged 4 commits intoboa-dev:mainfrom
HiteshShonak:fix/request-forbidden-methods
Apr 10, 2026
Merged

fix(fetch): reject forbidden HTTP methods CONNECT, TRACE, and TRACK#5203
jedel1043 merged 4 commits intoboa-dev:mainfrom
HiteshShonak:fix/request-forbidden-methods

Conversation

@HiteshShonak
Copy link
Copy Markdown
Contributor

@HiteshShonak HiteshShonak commented Mar 21, 2026

This Pull Request fixes/closes #5202.

It changes the following:

  • Reject CONNECT, TRACE, and TRACK methods in the Request constructor and throw a TypeError, matching the Fetch Standard.
  • Check is case-insensitive, so connect, trace, track are also rejected.
  • Added regression tests for all three forbidden methods.

Testing:

cargo test -p boa_runtime request -- --nocapture

Spec reference: https://fetch.spec.whatwg.org/#forbidden-method

@HiteshShonak HiteshShonak requested a review from a team as a code owner March 21, 2026 04:37
Copilot AI review requested due to automatic review settings March 21, 2026 04:37
@github-actions github-actions bot added Waiting On Review Waiting on reviews from the maintainers C-Tests Issues and PRs related to the tests. C-Runtime Issues and PRs related to Boa's runtime features and removed Waiting On Review Waiting on reviews from the maintainers labels Mar 21, 2026
@github-actions github-actions bot added this to the v1.0.0 milestone Mar 21, 2026
Copilot AI reviewed Mar 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Boa’s Fetch Request implementation to match the Fetch Standard by rejecting forbidden HTTP methods (CONNECT, TRACE, TRACK) in the Request constructor path, and adds regression tests to prevent the behavior from regressing.

Changes:

  • Reject CONNECT/TRACE/TRACK (case-insensitive) in RequestInit::into_request_builder by throwing a TypeError.
  • Add regression tests asserting new Request(..., { method }) throws for each forbidden method.
  • Add indoc usage in request tests for cleaner embedded JS snippets.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
core/runtime/src/fetch/request.rs Adds forbidden-method validation during request builder construction, returning a TypeError for CONNECT/TRACE/TRACK.
core/runtime/src/fetch/tests/request.rs Adds new tests ensuring Request construction throws when using forbidden methods.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 21, 2026
edited
Loading

Test262 conformance changes

Test result main count PR count difference
Total 53,125 53,125 0
Passed 51,049 51,049 0
Ignored 1,482 1,482 0
Failed 594 594 0
Panics 0 0 0
Conformance 96.09% 96.09% 0.00%

Tested main commit: d6d76d86e9e18fca07f318f1db434cc8abffaf14
Tested PR commit: cc6dedf754e99f257e9c1641e6c6e5a6624580ff
Compare commits: d6d76d8...cc6dedf

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 21, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.70%. Comparing base (6ddc2b4) to head (cc6dedf).
⚠️ Report is 949 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #5203       +/-   ##
===========================================
+ Coverage   47.24%   59.70%   +12.45%     
===========================================
  Files         476      589      +113     
  Lines       46892    63671    +16779     
===========================================
+ Hits        22154    38012    +15858     
- Misses      24738    25659      +921

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions github-actions bot added the Waiting On Review Waiting on reviews from the maintainers label Mar 21, 2026
jedel1043
jedel1043 reviewed Apr 7, 2026
View reviewed changes
@HiteshShonak HiteshShonak requested a review from jedel1043 April 10, 2026 14:49
jedel1043
jedel1043 approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jedel1043 jedel1043 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@jedel1043 jedel1043 added this pull request to the merge queue Apr 10, 2026
Merged via the queue into boa-dev:main with commit a2acfa6 Apr 10, 2026
22 checks passed
@github-actions github-actions bot removed the Waiting On Review Waiting on reviews from the maintainers label Apr 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jedel1043 jedel1043 jedel1043 approved these changes

Assignees

No one assigned

Labels

C-Runtime Issues and PRs related to Boa's runtime features C-Tests Issues and PRs related to the tests.

Projects

None yet

Milestone

v1.0.0

Development

Successfully merging this pull request may close these issues.

Request constructor accepts forbidden HTTP methods like CONNECT, TRACE, and TRACK

3 participants

@HiteshShonak @jedel1043