XMLHttpRequest.setRequestHeader() should allow Content-Transfer-Encoding header;...
[WebKit.git] / LayoutTests / http / tests / xmlhttprequest / set-dangerous-headers.html
1 <html>
2 <body>
3 <p>Test that setRequestHeader cannot be used to alter security-sensitive headers.</p>
4 <pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre>
5 <script>
6     if (window.testRunner)
7         testRunner.dumpAsText();
8     
9     req = new XMLHttpRequest;
10     req.open("GET", "resources/print-headers.cgi", false);
11
12     req.setRequestHeader("ACCEPT-CHARSET", "foobar");
13     req.setRequestHeader("ACCEPT-ENCODING", "foobar");
14     req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar");
15     req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar");
16     // AUTHORIZATION is no longer forbidden. See
17     // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to
18     // a value other than the foobar since some http servers (lighttp) do not
19     // strip this out (Apache does).
20     req.setRequestHeader("AUTHORIZATION", "baz");
21     req.setRequestHeader("CONNECTION", "foobar");
22     req.setRequestHeader("CONTENT-LENGTH", "123456");
23     req.setRequestHeader("COOKIE", "foobar");
24     req.setRequestHeader("COOKIE2", "foobar");
25     req.setRequestHeader("DATE", "foobar");
26     req.setRequestHeader("DNT", "foobar");
27     req.setRequestHeader("EXPECT", "100-continue");
28     req.setRequestHeader("HOST", "foobar");
29     req.setRequestHeader("KEEP-ALIVE", "foobar");
30     req.setRequestHeader("ORIGIN", "foobar");
31     req.setRequestHeader("REFERER", "foobar");
32     req.setRequestHeader("TE", "foobar");
33     req.setRequestHeader("TRAILER", "foobar");
34     req.setRequestHeader("TRANSFER-ENCODING", "foobar");
35     req.setRequestHeader("UPGRADE", "foobar");
36     req.setRequestHeader("VIA", "foobar");
37
38     req.setRequestHeader("Proxy-", "foobar");
39     req.setRequestHeader("Proxy-test", "foobar");
40     req.setRequestHeader("PROXY-FOO", "foobar");
41
42     req.setRequestHeader("Sec-", "foobar");
43     req.setRequestHeader("Sec-test", "foobar");
44     req.setRequestHeader("SEC-FOO", "foobar");
45
46     try {
47         req.send("");
48         if (req.responseText.match("100-continue|foobar|123456"))
49             document.getElementById("result").textContent = req.responseText;
50         else
51             document.getElementById("result").textContent = "SUCCESS";
52     } catch (ex) {
53         document.getElementById("result").textContent = ex;
54     }
55 </script>
56 </body>
57 </html>