Block all scripts from setting unsafe headers in XMLHttpRequest

LayoutTests/fast/xmlhttprequest/set-dangerous-headers-local.html

Index: LayoutTests/fast/xmlhttprequest/set-dangerous-headers-local.html
diff --git a/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-local.html b/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-local.html
new file mode 100644
index 0000000000000000000000000000000000000000..aad2469a9ed9034a30022b7dade63f553adc7d97
--- /dev/null
+++ b/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-local.html
@@ -0,0 +1,65 @@
+<html>
+<body>
+<p>Test that setRequestHeader cannot be used to alter security-sensitive headers
+for file:// urls.</p>
+<pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    if (window.location.href.indexOf("file://") != 0) {
+        document.getElementById("result").textContent =
+            "ERROR: Not running from file:// origin.";
+    } else {
+        req = new XMLHttpRequest;
+        req.open("GET", "resources/print-headers.cgi", false);
+
+        req.setRequestHeader("ACCEPT-CHARSET", "foobar");
+        req.setRequestHeader("ACCEPT-ENCODING", "foobar");
+        req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar");
+        req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar");
+        // AUTHORIZATION is no longer forbidden. See
+        // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to
+        // a value other than the foobar since some http servers (lighttp) do not
+        // strip this out (Apache does).
+        req.setRequestHeader("AUTHORIZATION", "baz");
+        req.setRequestHeader("CONNECTION", "foobar");
+        req.setRequestHeader("CONTENT-LENGTH", "123456");
+        req.setRequestHeader("CONTENT-TRANSFER-ENCODING", "foobar");
+        req.setRequestHeader("COOKIE", "foobar");
+        req.setRequestHeader("COOKIE2", "foobar");
+        req.setRequestHeader("DATE", "foobar");
+        req.setRequestHeader("EXPECT", "100-continue");
+        req.setRequestHeader("HOST", "foobar");
+        req.setRequestHeader("KEEP-ALIVE", "foobar");
+        req.setRequestHeader("ORIGIN", "foobar");
+        req.setRequestHeader("REFERER", "foobar");
+        req.setRequestHeader("TE", "foobar");
+        req.setRequestHeader("TRAILER", "foobar");
+        req.setRequestHeader("TRANSFER-ENCODING", "foobar");
+        req.setRequestHeader("UPGRADE", "foobar");
+        req.setRequestHeader("USER-AGENT", "foobar");
+        req.setRequestHeader("VIA", "foobar");
+
+        req.setRequestHeader("Proxy-", "foobar");
+        req.setRequestHeader("Proxy-test", "foobar");
+        req.setRequestHeader("PROXY-FOO", "foobar");
+
+        req.setRequestHeader("Sec-", "foobar");
+        req.setRequestHeader("Sec-test", "foobar");
+        req.setRequestHeader("SEC-FOO", "foobar");
+
+        try {
+            req.send("");
+            if (req.responseText.match("100-continue|foobar|123456"))
+                document.getElementById("result").textContent =
+                    req.responseText;
+            else
+                document.getElementById("result").textContent = "SUCCESS";
+        } catch (ex) {
+            document.getElementById("result").textContent = ex;
+        }
+    }
+</script>
+</body>
+</html>