test(rsc-mf): expand hop-by-hop header sanitization coverage

Author: cursoragent

tests/integration/rsc-mf/shared/proxyResponse.ts

@@ -1,14 +1,28 @@
-const HOP_BY_HOP_RESPONSE_HEADERS = [
+const PROXY_UNSAFE_RESPONSE_HEADERS = [
   'content-length',
   'content-encoding',
+  'connection',
+  'keep-alive',
+  'proxy-authenticate',
+  'proxy-authorization',
+  'te',
+  'trailer',
   'transfer-encoding',
+  'upgrade',
 ];
 
 export const createSafeProxyResponse = (upstream: Response) => {
   const headers = new Headers(upstream.headers);
-  for (const headerName of HOP_BY_HOP_RESPONSE_HEADERS) {
+  for (const headerName of PROXY_UNSAFE_RESPONSE_HEADERS) {
     headers.delete(headerName);
   }
+  const connectionHeaderTokens = (upstream.headers.get('connection') || '')
+    .split(',')
+    .map(token => token.trim().toLowerCase())
+    .filter(Boolean);
+  for (const token of connectionHeaderTokens) {
+    headers.delete(token);
+  }
   return new Response(upstream.body, {
     status: upstream.status,
     headers,

tests/integration/rsc-mf/tests/modernServerConfig.test.ts

@@ -144,6 +144,12 @@ describe('rsc-mf host modern.server middleware contracts', () => {
           'content-type': 'application/javascript',
           'content-length': '999',
           'content-encoding': 'gzip',
+          connection: 'keep-alive, x-proxy-hop-header',
+          'keep-alive': 'timeout=5',
+          'x-proxy-hop-header': 'remove-me',
+          te: 'trailers',
+          trailer: 'x-trailer-a',
+          upgrade: 'websocket',
           'transfer-encoding': 'chunked',
         },
       });
@@ -162,6 +168,12 @@ describe('rsc-mf host modern.server middleware contracts', () => {
     );
     expect(context.res?.headers.get('content-length')).toBeNull();
     expect(context.res?.headers.get('content-encoding')).toBeNull();
+    expect(context.res?.headers.get('connection')).toBeNull();
+    expect(context.res?.headers.get('keep-alive')).toBeNull();
+    expect(context.res?.headers.get('x-proxy-hop-header')).toBeNull();
+    expect(context.res?.headers.get('te')).toBeNull();
+    expect(context.res?.headers.get('trailer')).toBeNull();
+    expect(context.res?.headers.get('upgrade')).toBeNull();
     expect(context.res?.headers.get('transfer-encoding')).toBeNull();
     await expect(context.res?.text()).resolves.toBe(
       'proxied-with-transport-headers',

tests/integration/rsc-mf/tests/proxyResponse.test.ts

@@ -8,6 +8,12 @@ describe('rsc-mf proxy response helper', () => {
         'content-type': 'application/javascript',
         'content-length': '999',
         'content-encoding': 'gzip',
+        connection: 'keep-alive, x-custom-hop-header',
+        'keep-alive': 'timeout=5',
+        'x-custom-hop-header': 'remove-me',
+        te: 'trailers',
+        trailer: 'x-trailer-a',
+        upgrade: 'websocket',
         'transfer-encoding': 'chunked',
       },
     });
@@ -18,6 +24,12 @@ describe('rsc-mf proxy response helper', () => {
     expect(proxied.headers.get('content-type')).toBe('application/javascript');
     expect(proxied.headers.get('content-length')).toBeNull();
     expect(proxied.headers.get('content-encoding')).toBeNull();
+    expect(proxied.headers.get('connection')).toBeNull();
+    expect(proxied.headers.get('keep-alive')).toBeNull();
+    expect(proxied.headers.get('x-custom-hop-header')).toBeNull();
+    expect(proxied.headers.get('te')).toBeNull();
+    expect(proxied.headers.get('trailer')).toBeNull();
+    expect(proxied.headers.get('upgrade')).toBeNull();
     expect(proxied.headers.get('transfer-encoding')).toBeNull();
     await expect(proxied.text()).resolves.toBe('proxied-body');
   });

tests/integration/rsc-mf/tests/remoteModernServerConfig.test.ts

@@ -187,6 +187,12 @@ describe('rsc-mf remote modern.server middleware contracts', () => {
               'content-type': 'application/javascript',
               'content-length': '999',
               'content-encoding': 'gzip',
+              connection: 'keep-alive, x-proxy-hop-header',
+              'keep-alive': 'timeout=5',
+              'x-proxy-hop-header': 'remove-me',
+              te: 'trailers',
+              trailer: 'x-trailer-a',
+              upgrade: 'websocket',
               'transfer-encoding': 'chunked',
             },
           }),
@@ -209,6 +215,12 @@ describe('rsc-mf remote modern.server middleware contracts', () => {
     );
     expect(context.res?.headers.get('content-length')).toBeNull();
     expect(context.res?.headers.get('content-encoding')).toBeNull();
+    expect(context.res?.headers.get('connection')).toBeNull();
+    expect(context.res?.headers.get('keep-alive')).toBeNull();
+    expect(context.res?.headers.get('x-proxy-hop-header')).toBeNull();
+    expect(context.res?.headers.get('te')).toBeNull();
+    expect(context.res?.headers.get('trailer')).toBeNull();
+    expect(context.res?.headers.get('upgrade')).toBeNull();
     expect(context.res?.headers.get('transfer-encoding')).toBeNull();
     await expect(context.res?.text()).resolves.toBe(
       'fallback-with-transport-headers',