From b28b6c141d3e4192382a530563553232dbd9482e Mon Sep 17 00:00:00 2001 From: linhongkuan Date: Wed, 24 Jun 2026 21:54:18 +0800 Subject: [PATCH] fix(res.set): ignore inherited header fields --- lib/response.js | 4 +++- test/res.set.js | 22 ++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/lib/response.js b/lib/response.js index b4755a5c060..fa5baed1ac1 100644 --- a/lib/response.js +++ b/lib/response.js @@ -681,7 +681,9 @@ res.header = function header(field, val) { this.setHeader(field, value); } else { - for (var key in field) { + var keys = Object.keys(field); + for (var i = 0; i < keys.length; i++) { + var key = keys[i]; this.set(key, field[key]); } } diff --git a/test/res.set.js b/test/res.set.js index 04511c1c95f..67acef84fc2 100644 --- a/test/res.set.js +++ b/test/res.set.js @@ -120,5 +120,27 @@ describe('res', function(){ .expect('X-Number', '123') .expect(200, 'string', done); }) + + it('should ignore inherited properties', function (done) { + var app = express(); + var headers = Object.create({ 'X-Inherited': 'nope' }); + + headers['X-Own'] = 'yes'; + + app.use(function (req, res) { + res.set(headers); + res.end(); + }); + + request(app) + .get('/') + .expect('X-Own', 'yes') + .expect(function (res) { + if (res.headers['x-inherited'] !== undefined) { + throw new Error('should not set inherited header'); + } + }) + .expect(200, done); + }) }) })