fix(fetch): reject forbidden HTTP methods CONNECT, TRACE, and TRACK (#5203)

HiteshShonak · web-flow · commit a2acfa6b2733 · 2026-04-10T15:25:46.000Z
This Pull Request fixes/closes #5202. It changes the following: - Reject `CONNECT`, `TRACE`, and `TRACK` methods in the `Request` constructor and throw a `TypeError`, matching the Fetch Standard. - Check is case-insensitive, so `connect`, `trace`, `track` are also rejected. - Added regression tests for all three forbidden methods. Testing: ```bash cargo test -p boa_runtime request -- --nocapture ``` Spec reference: https://fetch.spec.whatwg.org/#forbidden-method
diff --git a/core/runtime/src/fetch/request.rs b/core/runtime/src/fetch/request.rs
@@ -62,9 +62,27 @@ impl RequestInit {
         }
 
         if let Some(Convert(ref method)) = self.method.take() {
-            builder = builder.method(method.to_std_string().map_err(
+            let method = method.to_std_string().map_err(
                 |_| js_error!(TypeError: "Request constructor: {} is an invalid method", method.to_std_string_escaped()),
-            )?.as_str());
+            )?;
+
+            // 25. If init["method"] exists, then:
+            //     1. Let method be init["method"].
+            //     2. If method is not a method or method is a forbidden method, throw a TypeError.
+            //     3. Normalize method.
+            //     4. Set request's method to method.
+            // https://fetch.spec.whatwg.org/#dom-request
+            if method.eq_ignore_ascii_case("CONNECT")
+                || method.eq_ignore_ascii_case("TRACE")
+                || method.eq_ignore_ascii_case("TRACK")
+            {
+                return Err(js_error!(
+                    TypeError: "'{}' HTTP method is unsupported.",
+                    method
+                ));
+            }
+
+            builder = builder.method(method.as_str());
         }
 
         if let Some(body) = &self.body {
diff --git a/core/runtime/src/fetch/tests/request.rs b/core/runtime/src/fetch/tests/request.rs
@@ -5,6 +5,7 @@ use crate::test::{TestAction, run_test_actions};
 use boa_engine::{JsObject, js_str, js_string};
 use either::Either;
 use http::{Response, Uri};
+use indoc::indoc;
 
 #[test]
 fn request_constructor() {
@@ -48,6 +49,28 @@ fn request_constructor() {
     ]);
 }
 
+#[test]
+fn request_constructor_forbidden_method_throws() {
+    run_test_actions([
+        TestAction::inspect_context(|ctx| {
+            let fetcher = TestFetcher::default();
+            crate::fetch::register(fetcher, None, ctx).expect("failed to register fetch");
+        }),
+        TestAction::run(indoc! {r#"
+            for (const method of ["CONNECT", "TRACE", "TRACK", "connect"]) {
+                try {
+                    new Request("http://unit.test", { method });
+                    throw Error("expected the call above to throw");
+                } catch (e) {
+                    if (!(e instanceof TypeError)) {
+                        throw e;
+                    }
+                }
+            }
+        "#}),
+    ]);
+}
+
 #[test]
 fn request_clone_preserves_body_without_override() {
     run_test_actions([
