8213189: Make restricted headers in HTTP Client configurable and remove Date by default

Reviewed-by: dfuchs
2025-09-15 16:44:36 +02:00 · 2018-11-14 14:23:21 +00:00 · 2018-11-14 14:23:21 +00:00 · 028f2e14b3
commit 028f2e14b3
parent eafb5eb05e
14 changed files with 376 additions and 28 deletions
--- a/src/java.base/share/conf/net.properties
+++ b/src/java.base/share/conf/net.properties
@ -99,3 +99,21 @@ ftp.nonProxyHosts=localhost|127.*|[::1]
 #jdk.http.auth.proxying.disabledSchemes=
 jdk.http.auth.tunneling.disabledSchemes=Basic

+#
+# Allow restricted HTTP request headers
+#
+# By default, the following request headers are not allowed to be set by user code
+# in HttpRequests: "connection", "content-length", "expect", "host" and "upgrade".
+# The 'jdk.httpclient.allowRestrictedHeaders' property allows one or more of these
+# headers to be specified as a comma separated list to override the default restriction. 
+# The names are case-insensitive and white-space is ignored (removed before processing 
+# the list). Note, this capability is mostly intended for testing and isn't expected 
+# to be used in real deployments. Protocol errors or other undefined behavior is likely 
+# to occur when using them. The property is not set by default.
+# Note also, that there may be other headers that are restricted from being set
+# depending on the context. This includes the "Authorization" header when the
+# relevant HttpClient has an authenticator set. These restrictions cannot be
+# overridden by this property.
+#
+# jdk.httpclient.allowRestrictedHeaders=host
+#