Preserve browser capability headers in Apps Script relay

Code.gs

@@ -18,9 +18,12 @@
 
 const AUTH_KEY = "CHANGE_ME_TO_A_STRONG_SECRET";
 
+// Keep browser capability headers (sec-ch-ua*, sec-fetch-*) intact.
+// Some modern apps, notably Google Meet, use them for browser gating.
 const SKIP_HEADERS = {
   host: 1, connection: 1, "content-length": 1,
   "transfer-encoding": 1, "proxy-connection": 1, "proxy-authorization": 1,
+  "priority": 1, te: 1,
 };
 
 function doPost(e) {
@@ -46,7 +49,7 @@ function _doSingle(req) {
   var resp = UrlFetchApp.fetch(req.u, opts);
   return _json({
     s: resp.getResponseCode(),
-    h: resp.getHeaders(),
+    h: _respHeaders(resp),
     b: Utilities.base64Encode(resp.getContent()),
   });
 }
@@ -81,7 +84,7 @@ function _doBatch(items) {
       var resp = responses[rIdx++];
       results.push({
         s: resp.getResponseCode(),
-        h: resp.getHeaders(),
+        h: _respHeaders(resp),
         b: Utilities.base64Encode(resp.getContent()),
       });
     }
@@ -95,6 +98,7 @@ function _buildOpts(req) {
     muteHttpExceptions: true,
     followRedirects: req.r !== false,
     validateHttpsCertificates: true,
+    escaping: false,
   };
   if (req.h && typeof req.h === "object") {
     var headers = {};
@@ -112,6 +116,15 @@ function _buildOpts(req) {
   return opts;
 }
 
+function _respHeaders(resp) {
+  try {
+    if (typeof resp.getAllHeaders === "function") {
+      return resp.getAllHeaders();
+    }
+  } catch (err) {}
+  return resp.getHeaders();
+}
+
 function doGet(e) {
   return HtmlService.createHtmlOutput(
     "<!DOCTYPE html><html><head><title>My App</title></head>" +