fix(requests): disallow `VM-` headers for security reason

.gitignore

@@ -1,6 +1,7 @@
 /dist/
 node_modules/
 /*.zip
+/*.tar.gz
 /*.nex
 /*.crx
 /*.log

src/background/utils/requests.js

@@ -73,8 +73,11 @@ export function httpRequest(details, cb) {
     xhr.setRequestHeader('VM-Verify', details.id);
     if (details.headers) {
       Object.keys(details.headers).forEach(key => {
+        const lowerKey = key.toLowerCase();
+        // `VM-` headers are reserved
+        if (lowerKey.startsWith('vm-')) return;
         xhr.setRequestHeader(
-          specialHeaders.includes(key.toLowerCase()) ? `VM-${key}` : key,
+          specialHeaders.includes(lowerKey) ? `VM-${key}` : key,
           details.headers[key],
         );
       });

src/injected.js

@@ -287,20 +287,21 @@
       if (res.type === 'loadend') delete comm.requests[req.id];
     }
     function start(req, id) {
+      const { details } = req;
       const data = {
         id,
-        method: req.details.method,
-        url: req.details.url,
-        data: req.details.data,
-        // async: !req.details.synchronous,
-        user: req.details.user,
-        password: req.details.password,
-        headers: req.details.headers,
-        overrideMimeType: req.details.overrideMimeType,
+        method: details.method,
+        url: details.url,
+        data: details.data,
+        // async: !details.synchronous,
+        user: details.user,
+        password: details.password,
+        headers: details.headers,
+        overrideMimeType: details.overrideMimeType,
       };
       req.id = id;
       comm.requests[id] = req;
-      if (comm.includes(['arraybuffer', 'blob'], req.details.responseType)) {
+      if (comm.includes(['arraybuffer', 'blob'], details.responseType)) {
         data.responseType = 'blob';
       }
       comm.post({ cmd: 'HttpRequest', data });