httputil: in ReverseProxy, strip hop-by-hop headers from the backend response

Fixes #5967.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/57370043

src/pkg/net/http/httputil/reverseproxy.go

@@ -144,6 +144,10 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 	defer res.Body.Close()
 
+	for _, h := range hopHeaders {
+		res.Header.Del(h)
+	}
+
 	copyHeader(rw.Header(), res.Header)
 
 	rw.WriteHeader(res.StatusCode)

src/pkg/net/http/httputil/reverseproxy_test.go

@@ -16,6 +16,12 @@ import (
 	"time"
 )
 
+const fakeHopHeader = "X-Fake-Hop-Header-For-Test"
+
+func init() {
+	hopHeaders = append(hopHeaders, fakeHopHeader)
+}
+
 func TestReverseProxy(t *testing.T) {
 	const backendResponse = "I am the backend"
 	const backendStatus = 404
@@ -36,6 +42,10 @@ func TestReverseProxy(t *testing.T) {
 			t.Errorf("backend got Host header %q, want %q", g, e)
 		}
 		w.Header().Set("X-Foo", "bar")
+		w.Header().Set("Upgrade", "foo")
+		w.Header().Set(fakeHopHeader, "foo")
+		w.Header().Add("X-Multi-Value", "foo")
+		w.Header().Add("X-Multi-Value", "bar")
 		http.SetCookie(w, &http.Cookie{Name: "flavor", Value: "chocolateChip"})
 		w.WriteHeader(backendStatus)
 		w.Write([]byte(backendResponse))
@@ -64,6 +74,12 @@ func TestReverseProxy(t *testing.T) {
 	if g, e := res.Header.Get("X-Foo"), "bar"; g != e {
 		t.Errorf("got X-Foo %q; expected %q", g, e)
 	}
+	if c := res.Header.Get(fakeHopHeader); c != "" {
+		t.Errorf("got %s header value %q", fakeHopHeader, c)
+	}
+	if g, e := len(res.Header["X-Multi-Value"]), 2; g != e {
+		t.Errorf("got %d X-Multi-Value header values; expected %d", g, e)
+	}
 	if g, e := len(res.Header["Set-Cookie"]), 1; g != e {
 		t.Fatalf("got %d SetCookies, want %d", g, e)
 	}