third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers.html

   1 <html>
   2 <body>
   3 <p>Test that setRequestHeader cannot be used to alter security-sensitive headers.</p>
   4 <pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre>
   5 <script>
   6     if (window.testRunner)
   7         testRunner.dumpAsText();
   8
   9     req = new XMLHttpRequest;
  10     req.open("GET", "resources/print-headers.cgi", false);
  11
  12     req.setRequestHeader("ACCEPT-CHARSET", "foobar");
  13     req.setRequestHeader("ACCEPT-ENCODING", "foobar");
  14     req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar");
  15     req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar");
  16     // AUTHORIZATION is no longer forbidden. See
  17     // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to
  18     // a value other than the foobar since some http servers (lighttp) do not
  19     // strip this out (Apache does).
  20     req.setRequestHeader("AUTHORIZATION", "baz");
  21     req.setRequestHeader("CONNECTION", "foobar");
  22     req.setRequestHeader("CONTENT-LENGTH", "123456");
  23     req.setRequestHeader("COOKIE", "foobar");
  24     req.setRequestHeader("COOKIE2", "foobar");
  25     req.setRequestHeader("DATE", "foobar");
  26     req.setRequestHeader("DNT", "foobar");
  27     req.setRequestHeader("EXPECT", "100-continue");
  28     req.setRequestHeader("HOST", "foobar");
  29     req.setRequestHeader("KEEP-ALIVE", "foobar");
  30     req.setRequestHeader("ORIGIN", "foobar");
  31     req.setRequestHeader("REFERER", "foobar");
  32     req.setRequestHeader("TE", "foobar");
  33     req.setRequestHeader("TRAILER", "foobar");
  34     req.setRequestHeader("TRANSFER-ENCODING", "foobar");
  35     req.setRequestHeader("UPGRADE", "foobar");
  36     req.setRequestHeader("USER-AGENT", "foobar");
  37     req.setRequestHeader("VIA", "foobar");
  38
  39     req.setRequestHeader("Proxy-", "foobar");
  40     req.setRequestHeader("Proxy-test", "foobar");
  41     req.setRequestHeader("PROXY-FOO", "foobar");
  42
  43     req.setRequestHeader("Sec-", "foobar");
  44     req.setRequestHeader("Sec-test", "foobar");
  45     req.setRequestHeader("SEC-FOO", "foobar");
  46
  47     try {
  48         req.send("");
  49         if (req.responseText.match("100-continue|foobar|123456"))
  50             document.getElementById("result").textContent = req.responseText;
  51         else
  52             document.getElementById("result").textContent = "SUCCESS";
  53     } catch (ex) {
  54         document.getElementById("result").textContent = ex;
  55     }
  56 </script>
  57 </body>
  58 </html>