3 <p>Test that setRequestHeader cannot be used to alter security-sensitive headers
5 <pre id=result
>FAIL: script didn't run or raised an unexpected exception.
</pre>
8 testRunner
.dumpAsText();
10 if (window
.location
.href
.indexOf("file://") != 0) {
11 document
.getElementById("result").textContent
=
12 "ERROR: Not running from file:// origin.";
14 req
= new XMLHttpRequest
;
15 req
.open("GET", "resources/print-headers.cgi", false);
17 req
.setRequestHeader("ACCEPT-CHARSET", "foobar");
18 req
.setRequestHeader("ACCEPT-ENCODING", "foobar");
19 req
.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar");
20 req
.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar");
21 // AUTHORIZATION is no longer forbidden. See
22 // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to
23 // a value other than the foobar since some http servers (lighttp) do not
24 // strip this out (Apache does).
25 req
.setRequestHeader("AUTHORIZATION", "baz");
26 req
.setRequestHeader("CONNECTION", "foobar");
27 req
.setRequestHeader("CONTENT-LENGTH", "123456");
28 req
.setRequestHeader("COOKIE", "foobar");
29 req
.setRequestHeader("COOKIE2", "foobar");
30 req
.setRequestHeader("DATE", "foobar");
31 req
.setRequestHeader("DNT", "foobar");
32 req
.setRequestHeader("EXPECT", "100-continue");
33 req
.setRequestHeader("HOST", "foobar");
34 req
.setRequestHeader("KEEP-ALIVE", "foobar");
35 req
.setRequestHeader("ORIGIN", "foobar");
36 req
.setRequestHeader("REFERER", "foobar");
37 req
.setRequestHeader("TE", "foobar");
38 req
.setRequestHeader("TRAILER", "foobar");
39 req
.setRequestHeader("TRANSFER-ENCODING", "foobar");
40 req
.setRequestHeader("UPGRADE", "foobar");
41 req
.setRequestHeader("USER-AGENT", "foobar");
42 req
.setRequestHeader("VIA", "foobar");
44 req
.setRequestHeader("Proxy-", "foobar");
45 req
.setRequestHeader("Proxy-test", "foobar");
46 req
.setRequestHeader("PROXY-FOO", "foobar");
48 req
.setRequestHeader("Sec-", "foobar");
49 req
.setRequestHeader("Sec-test", "foobar");
50 req
.setRequestHeader("SEC-FOO", "foobar");
54 if (req
.responseText
.match("100-continue|foobar|123456"))
55 document
.getElementById("result").textContent
=
58 document
.getElementById("result").textContent
= "SUCCESS";
60 document
.getElementById("result").textContent
= ex
;