From 5bb269d01dd11c9336ece79d6177249b5bedadf0 Mon Sep 17 00:00:00 2001
From: Leon Krause <lk@leonkrause.com>
Date: Sat, 17 Feb 2018 16:56:40 +0100
Subject: [PATCH] Disable insecure HTTP methods CONNECT and TRACE in HTML5
 platform

(cherry picked from commit 2cd7bc04ea9a99510c26113a81f8371be5b1f49f)
---
 platform/javascript/http_client_javascript.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/platform/javascript/http_client_javascript.cpp b/platform/javascript/http_client_javascript.cpp
index 5e6b01f772a..5ab3d1b7703 100644
--- a/platform/javascript/http_client_javascript.cpp
+++ b/platform/javascript/http_client_javascript.cpp
@@ -81,6 +81,8 @@ Ref<StreamPeer> HTTPClient::get_connection() const {
 Error HTTPClient::prepare_request(Method p_method, const String &p_url, const Vector<String> &p_headers) {
 
 	ERR_FAIL_INDEX_V(p_method, METHOD_MAX, ERR_INVALID_PARAMETER);
+	ERR_EXPLAIN("HTTP methods TRACE and CONNECT are not supported for the HTML5 platform");
+	ERR_FAIL_COND_V(p_method == METHOD_TRACE || p_method == METHOD_CONNECT, ERR_UNAVAILABLE);
 	ERR_FAIL_COND_V(status != STATUS_CONNECTED, ERR_INVALID_PARAMETER);
 	ERR_FAIL_COND_V(host.empty(), ERR_UNCONFIGURED);
 	ERR_FAIL_COND_V(port < 0, ERR_UNCONFIGURED);