fix(fetch): reject forbidden HTTP methods CONNECT, TRACE, and TRACK

[HiteshShonak]

This Pull Request fixes/closes #5202.

It changes the following:

• Reject CONNECT, TRACE, and TRACK methods in the Request constructor and throw a TypeError, matching the Fetch Standard.
• Check is case-insensitive, so connect, trace, track are also rejected.
• Added regression tests for all three forbidden methods.

Testing:

cargo test -p boa_runtime request -- --nocapture

Spec reference: https://fetch.spec.whatwg.org/#forbidden-method

[Copilot]

Pull request overview

This PR updates Boa’s Fetch Request implementation to match the Fetch Standard by rejecting forbidden HTTP methods (CONNECT, TRACE, TRACK) in the Request constructor path, and adds regression tests to prevent the behavior from regressing.

Changes:

• Reject CONNECT/TRACE/TRACK (case-insensitive) in RequestInit::into_request_builder by throwing a TypeError.
• Add regression tests asserting new Request(..., { method }) throws for each forbidden method.
• Add indoc usage in request tests for cleaner embedded JS snippets.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
core/runtime/src/fetch/request.rs	Adds forbidden-method validation during request builder construction, returning a TypeError for CONNECT/TRACE/TRACK.
core/runtime/src/fetch/tests/request.rs	Adds new tests ensuring Request construction throws when using forbidden methods.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Test262 conformance changes

Test result	main count	PR count	difference
Total	53,125	53,125	0
Passed	51,049	51,049	0
Ignored	1,482	1,482	0
Failed	594	594	0
Panics	0	0	0
Conformance	96.09%	96.09%	0.00%

Tested main commit: 333f6cbde8a73c87ba05fcbf8131c22c1203b365
Tested PR commit: 8a9c283b7bb015a61cb9ea5797e1b9e52bd2f6d2
Compare commits: 333f6cb...8a9c283

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.70%. Comparing base (6ddc2b4) to head (8a9c283).
⚠️ Report is 943 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #5203       +/-   ##
===========================================
+ Coverage   47.24%   59.70%   +12.46%     
===========================================
  Files         476      589      +113     
  Lines       46892    63646    +16754     
===========================================
+ Hits        22154    38003    +15849     
- Misses      24738    25643      +905     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jedel1043]

It might be good to reference the spec steps that are implemented here (https://fetch.spec.whatwg.org/#dom-request):

// 25. If init["[method](https://fetch.spec.whatwg.org/#dom-requestinit-method)"] [exists](https://infra.spec.whatwg.org/#map-exists), then:
//
//     1. Let method be init["[method](https://fetch.spec.whatwg.org/#dom-requestinit-method)"].
//
//     2. If method is not a [method](https://fetch.spec.whatwg.org/#concept-method) or method is a [forbidden method](https://fetch.spec.whatwg.org/#forbidden-method), then [throw](https://webidl.spec.whatwg.org/#dfn-throw) a [TypeError](https://webidl.spec.whatwg.org/#exceptiondef-typeerror).
//
//     3. [Normalize](https://fetch.spec.whatwg.org/#concept-method-normalize) method.
//
//     4. Set request’s [method](https://fetch.spec.whatwg.org/#concept-request-method) to method.