OLD | NEW |
1 <html> | 1 <html> |
2 <body> | 2 <body> |
3 <p>Test that setRequestHeader cannot be used to alter security-sensitive headers
.</p> | 3 <p>Test that setRequestHeader cannot be used to alter security-sensitive headers
.</p> |
4 <pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre> | 4 <pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre> |
5 <script> | 5 <script> |
6 if (window.testRunner) | 6 if (window.testRunner) |
7 testRunner.dumpAsText(); | 7 testRunner.dumpAsText(); |
8 | 8 |
9 req = new XMLHttpRequest; | 9 req = new XMLHttpRequest; |
10 req.open("GET", "resources/print-headers.cgi", false); | 10 req.open("GET", "resources/print-headers.cgi", false); |
11 | 11 |
12 req.setRequestHeader("ACCEPT-CHARSET", "foobar"); | 12 req.setRequestHeader("ACCEPT-CHARSET", "foobar"); |
13 req.setRequestHeader("ACCEPT-ENCODING", "foobar"); | 13 req.setRequestHeader("ACCEPT-ENCODING", "foobar"); |
14 req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar"); | 14 req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar"); |
15 req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar"); | 15 req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar"); |
16 // AUTHORIZATION is no longer forbidden. See | |
17 // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to | |
18 // a value other than the foobar since some http servers (lighttp) do not | |
19 // strip this out (Apache does). | |
20 req.setRequestHeader("AUTHORIZATION", "baz"); | |
21 req.setRequestHeader("CONNECTION", "foobar"); | 16 req.setRequestHeader("CONNECTION", "foobar"); |
22 req.setRequestHeader("CONTENT-LENGTH", "123456"); | 17 req.setRequestHeader("CONTENT-LENGTH", "123456"); |
23 req.setRequestHeader("COOKIE", "foobar"); | 18 req.setRequestHeader("COOKIE", "foobar"); |
24 req.setRequestHeader("COOKIE2", "foobar"); | 19 req.setRequestHeader("COOKIE2", "foobar"); |
25 req.setRequestHeader("DATE", "foobar"); | 20 req.setRequestHeader("DATE", "foobar"); |
26 req.setRequestHeader("DNT", "foobar"); | 21 req.setRequestHeader("DNT", "foobar"); |
27 req.setRequestHeader("EXPECT", "100-continue"); | 22 req.setRequestHeader("EXPECT", "100-continue"); |
28 req.setRequestHeader("HOST", "foobar"); | 23 req.setRequestHeader("HOST", "foobar"); |
29 req.setRequestHeader("KEEP-ALIVE", "foobar"); | 24 req.setRequestHeader("KEEP-ALIVE", "foobar"); |
30 req.setRequestHeader("ORIGIN", "foobar"); | 25 req.setRequestHeader("ORIGIN", "foobar"); |
31 req.setRequestHeader("REFERER", "foobar"); | 26 req.setRequestHeader("REFERER", "foobar"); |
32 req.setRequestHeader("TE", "foobar"); | 27 req.setRequestHeader("TE", "foobar"); |
33 req.setRequestHeader("TRAILER", "foobar"); | 28 req.setRequestHeader("TRAILER", "foobar"); |
34 req.setRequestHeader("TRANSFER-ENCODING", "foobar"); | 29 req.setRequestHeader("TRANSFER-ENCODING", "foobar"); |
35 req.setRequestHeader("UPGRADE", "foobar"); | 30 req.setRequestHeader("UPGRADE", "foobar"); |
36 req.setRequestHeader("USER-AGENT", "foobar"); | |
37 req.setRequestHeader("VIA", "foobar"); | 31 req.setRequestHeader("VIA", "foobar"); |
38 | 32 |
39 req.setRequestHeader("Proxy-", "foobar"); | 33 req.setRequestHeader("Proxy-", "foobar"); |
40 req.setRequestHeader("Proxy-test", "foobar"); | 34 req.setRequestHeader("Proxy-test", "foobar"); |
41 req.setRequestHeader("PROXY-FOO", "foobar"); | 35 req.setRequestHeader("PROXY-FOO", "foobar"); |
42 | 36 |
43 req.setRequestHeader("Sec-", "foobar"); | 37 req.setRequestHeader("Sec-", "foobar"); |
44 req.setRequestHeader("Sec-test", "foobar"); | 38 req.setRequestHeader("Sec-test", "foobar"); |
45 req.setRequestHeader("SEC-FOO", "foobar"); | 39 req.setRequestHeader("SEC-FOO", "foobar"); |
46 | 40 |
47 try { | 41 try { |
48 req.send(""); | 42 req.send(); |
49 if (req.responseText.match("100-continue|foobar|123456")) | 43 if (req.responseText.match("100-continue|foobar|123456")) |
50 document.getElementById("result").textContent = req.responseText; | 44 document.getElementById("result").textContent = req.responseText; |
51 else | 45 else |
52 document.getElementById("result").textContent = "SUCCESS"; | 46 document.getElementById("result").textContent = "SUCCESS"; |
53 } catch (ex) { | 47 } catch (ex) { |
54 document.getElementById("result").textContent = ex; | 48 document.getElementById("result").textContent = ex; |
55 } | 49 } |
56 </script> | 50 </script> |
57 </body> | 51 </body> |
58 </html> | 52 </html> |
OLD | NEW |