Index: LayoutTests/fast/xmlhttprequest/set-dangerous-headers-local.html |
diff --git a/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-local.html b/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-local.html |
new file mode 100644 |
index 0000000000000000000000000000000000000000..aad2469a9ed9034a30022b7dade63f553adc7d97 |
--- /dev/null |
+++ b/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-local.html |
@@ -0,0 +1,65 @@ |
+<html> |
+<body> |
+<p>Test that setRequestHeader cannot be used to alter security-sensitive headers |
+for file:// urls.</p> |
+<pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre> |
+<script> |
+ if (window.testRunner) |
+ testRunner.dumpAsText(); |
+ |
+ if (window.location.href.indexOf("file://") != 0) { |
+ document.getElementById("result").textContent = |
+ "ERROR: Not running from file:// origin."; |
+ } else { |
+ req = new XMLHttpRequest; |
+ req.open("GET", "resources/print-headers.cgi", false); |
+ |
+ req.setRequestHeader("ACCEPT-CHARSET", "foobar"); |
+ req.setRequestHeader("ACCEPT-ENCODING", "foobar"); |
+ req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar"); |
+ req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar"); |
+ // AUTHORIZATION is no longer forbidden. See |
+ // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to |
+ // a value other than the foobar since some http servers (lighttp) do not |
+ // strip this out (Apache does). |
+ req.setRequestHeader("AUTHORIZATION", "baz"); |
+ req.setRequestHeader("CONNECTION", "foobar"); |
+ req.setRequestHeader("CONTENT-LENGTH", "123456"); |
+ req.setRequestHeader("CONTENT-TRANSFER-ENCODING", "foobar"); |
+ req.setRequestHeader("COOKIE", "foobar"); |
+ req.setRequestHeader("COOKIE2", "foobar"); |
+ req.setRequestHeader("DATE", "foobar"); |
+ req.setRequestHeader("EXPECT", "100-continue"); |
+ req.setRequestHeader("HOST", "foobar"); |
+ req.setRequestHeader("KEEP-ALIVE", "foobar"); |
+ req.setRequestHeader("ORIGIN", "foobar"); |
+ req.setRequestHeader("REFERER", "foobar"); |
+ req.setRequestHeader("TE", "foobar"); |
+ req.setRequestHeader("TRAILER", "foobar"); |
+ req.setRequestHeader("TRANSFER-ENCODING", "foobar"); |
+ req.setRequestHeader("UPGRADE", "foobar"); |
+ req.setRequestHeader("USER-AGENT", "foobar"); |
+ req.setRequestHeader("VIA", "foobar"); |
+ |
+ req.setRequestHeader("Proxy-", "foobar"); |
+ req.setRequestHeader("Proxy-test", "foobar"); |
+ req.setRequestHeader("PROXY-FOO", "foobar"); |
+ |
+ req.setRequestHeader("Sec-", "foobar"); |
+ req.setRequestHeader("Sec-test", "foobar"); |
+ req.setRequestHeader("SEC-FOO", "foobar"); |
+ |
+ try { |
+ req.send(""); |
+ if (req.responseText.match("100-continue|foobar|123456")) |
+ document.getElementById("result").textContent = |
+ req.responseText; |
+ else |
+ document.getElementById("result").textContent = "SUCCESS"; |
+ } catch (ex) { |
+ document.getElementById("result").textContent = ex; |
+ } |
+ } |
+</script> |
+</body> |
+</html> |