OLD | NEW |
(Empty) | |
| 1 <html> |
| 2 <body> |
| 3 <p>Test that setRequestHeader cannot be used to alter security-sensitive headers |
| 4 for file:// urls.</p> |
| 5 <pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre> |
| 6 <script> |
| 7 if (window.testRunner) |
| 8 testRunner.dumpAsText(); |
| 9 |
| 10 if (window.location.href.indexOf("file://") != 0) { |
| 11 document.getElementById("result").textContent = |
| 12 "ERROR: Not running from file:// origin."; |
| 13 } else { |
| 14 req = new XMLHttpRequest; |
| 15 req.open("GET", "resources/print-headers.cgi", false); |
| 16 |
| 17 req.setRequestHeader("ACCEPT-CHARSET", "foobar"); |
| 18 req.setRequestHeader("ACCEPT-ENCODING", "foobar"); |
| 19 req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar"); |
| 20 req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar"); |
| 21 // AUTHORIZATION is no longer forbidden. See |
| 22 // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set t
o |
| 23 // a value other than the foobar since some http servers (lighttp) do no
t |
| 24 // strip this out (Apache does). |
| 25 req.setRequestHeader("AUTHORIZATION", "baz"); |
| 26 req.setRequestHeader("CONNECTION", "foobar"); |
| 27 req.setRequestHeader("CONTENT-LENGTH", "123456"); |
| 28 req.setRequestHeader("CONTENT-TRANSFER-ENCODING", "foobar"); |
| 29 req.setRequestHeader("COOKIE", "foobar"); |
| 30 req.setRequestHeader("COOKIE2", "foobar"); |
| 31 req.setRequestHeader("DATE", "foobar"); |
| 32 req.setRequestHeader("EXPECT", "100-continue"); |
| 33 req.setRequestHeader("HOST", "foobar"); |
| 34 req.setRequestHeader("KEEP-ALIVE", "foobar"); |
| 35 req.setRequestHeader("ORIGIN", "foobar"); |
| 36 req.setRequestHeader("REFERER", "foobar"); |
| 37 req.setRequestHeader("TE", "foobar"); |
| 38 req.setRequestHeader("TRAILER", "foobar"); |
| 39 req.setRequestHeader("TRANSFER-ENCODING", "foobar"); |
| 40 req.setRequestHeader("UPGRADE", "foobar"); |
| 41 req.setRequestHeader("USER-AGENT", "foobar"); |
| 42 req.setRequestHeader("VIA", "foobar"); |
| 43 |
| 44 req.setRequestHeader("Proxy-", "foobar"); |
| 45 req.setRequestHeader("Proxy-test", "foobar"); |
| 46 req.setRequestHeader("PROXY-FOO", "foobar"); |
| 47 |
| 48 req.setRequestHeader("Sec-", "foobar"); |
| 49 req.setRequestHeader("Sec-test", "foobar"); |
| 50 req.setRequestHeader("SEC-FOO", "foobar"); |
| 51 |
| 52 try { |
| 53 req.send(""); |
| 54 if (req.responseText.match("100-continue|foobar|123456")) |
| 55 document.getElementById("result").textContent = |
| 56 req.responseText; |
| 57 else |
| 58 document.getElementById("result").textContent = "SUCCESS"; |
| 59 } catch (ex) { |
| 60 document.getElementById("result").textContent = ex; |
| 61 } |
| 62 } |
| 63 </script> |
| 64 </body> |
| 65 </html> |
OLD | NEW |