50 lines
2.1 KiB
HTML
50 lines
2.1 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<body>
|
|
<p>Test that setRequestHeader() can be used to alter security-sensitive headers when the setting allowSettingAnyXHRHeaderFromFileURLs is enabled. This test PASSED if you do not see any console warnings.</p>
|
|
<script>
|
|
if (window.testRunner)
|
|
testRunner.dumpAsText();
|
|
if (window.internals.settings)
|
|
internals.settings.setAllowSettingAnyXHRHeaderFromFileURLs(true);
|
|
|
|
req = new XMLHttpRequest;
|
|
req.open("GET", "resources/non-existent-file.txt", false);
|
|
|
|
req.setRequestHeader("ACCEPT-CHARSET", "foobar");
|
|
req.setRequestHeader("ACCEPT-ENCODING", "foobar");
|
|
req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar");
|
|
req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar");
|
|
// AUTHORIZATION is no longer forbidden. See
|
|
// https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to
|
|
// a value other than the foobar since some http servers (lighttp) do not
|
|
// strip this out (Apache does).
|
|
req.setRequestHeader("AUTHORIZATION", "baz");
|
|
req.setRequestHeader("CONNECTION", "foobar");
|
|
req.setRequestHeader("CONTENT-LENGTH", "123456");
|
|
req.setRequestHeader("COOKIE", "foobar");
|
|
req.setRequestHeader("COOKIE2", "foobar");
|
|
req.setRequestHeader("DATE", "foobar");
|
|
req.setRequestHeader("DNT", "foobar");
|
|
req.setRequestHeader("EXPECT", "100-continue");
|
|
req.setRequestHeader("HOST", "foobar");
|
|
req.setRequestHeader("KEEP-ALIVE", "foobar");
|
|
req.setRequestHeader("ORIGIN", "foobar");
|
|
req.setRequestHeader("REFERER", "foobar");
|
|
req.setRequestHeader("TE", "foobar");
|
|
req.setRequestHeader("TRAILER", "foobar");
|
|
req.setRequestHeader("TRANSFER-ENCODING", "foobar");
|
|
req.setRequestHeader("UPGRADE", "foobar");
|
|
req.setRequestHeader("VIA", "foobar");
|
|
|
|
req.setRequestHeader("Proxy-", "foobar");
|
|
req.setRequestHeader("Proxy-test", "foobar");
|
|
req.setRequestHeader("PROXY-FOO", "foobar");
|
|
|
|
req.setRequestHeader("Sec-", "foobar");
|
|
req.setRequestHeader("Sec-test", "foobar");
|
|
req.setRequestHeader("SEC-FOO", "foobar");
|
|
</script>
|
|
</body>
|
|
</html>
|