summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm')
-rw-r--r--testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm95
1 files changed, 95 insertions, 0 deletions
diff --git a/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm b/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm
new file mode 100644
index 0000000000..0b273776bc
--- /dev/null
+++ b/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm
@@ -0,0 +1,95 @@
+<!doctype html>
+<html>
+ <head>
+ <title>XMLHttpRequest: setRequestHeader() - headers that are forbidden</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <link rel="help" href="https://xhr.spec.whatwg.org/#the-setrequestheader()-method">
+
+ </head>
+ <body>
+ <div id="log"></div>
+ <script>
+ test(function() {
+ var client = new XMLHttpRequest()
+ client.open("POST", "resources/inspect-headers.py?filter_value=TEST", false)
+ client.setRequestHeader("Accept-Charset", "TEST")
+ client.setRequestHeader("Accept-Encoding", "TEST")
+ client.setRequestHeader("Connection", "TEST")
+ client.setRequestHeader("Content-Length", "TEST")
+ client.setRequestHeader("Cookie", "TEST")
+ client.setRequestHeader("Cookie2", "TEST")
+ client.setRequestHeader("Date", "TEST")
+ client.setRequestHeader("DNT", "TEST")
+ client.setRequestHeader("Expect", "TEST")
+ client.setRequestHeader("Host", "TEST")
+ client.setRequestHeader("Keep-Alive", "TEST")
+ client.setRequestHeader("Referer", "TEST")
+ client.setRequestHeader("TE", "TEST")
+ client.setRequestHeader("Trailer", "TEST")
+ client.setRequestHeader("Transfer-Encoding", "TEST")
+ client.setRequestHeader("Upgrade", "TEST")
+ client.setRequestHeader("Via", "TEST")
+ client.setRequestHeader("Proxy-", "TEST")
+ client.setRequestHeader("Proxy-LIES", "TEST")
+ client.setRequestHeader("Proxy-Authorization", "TEST")
+ client.setRequestHeader("Sec-", "TEST")
+ client.setRequestHeader("Sec-X", "TEST")
+ client.send(null)
+ assert_equals(client.responseText, "")
+ })
+
+ test (function() {
+
+ let forbiddenMethods = [
+ "TRACE",
+ "TRACK",
+ "CONNECT",
+ "trace",
+ "track",
+ "connect",
+ "trace,",
+ "GET,track ",
+ " connect",
+ ];
+
+ let overrideHeaders = [
+ "x-http-method-override",
+ "x-http-method",
+ "x-method-override",
+ "X-HTTP-METHOD-OVERRIDE",
+ "X-HTTP-METHOD",
+ "X-METHOD-OVERRIDE",
+ ];
+
+ for (forbiddenMethod of forbiddenMethods) {
+ for (overrideHeader of overrideHeaders) {
+ var client = new XMLHttpRequest()
+ client.open("POST",
+ `resources/inspect-headers.py?filter_value=${forbiddenMethod}`, false)
+ client.setRequestHeader(overrideHeader, forbiddenMethod)
+ client.send(null)
+ assert_equals(client.responseText, "")
+ }
+ }
+
+ let permittedValues = [
+ "GETTRACE",
+ "GET",
+ "\",TRACE\",",
+ ];
+
+ for (permittedValue of permittedValues) {
+ for (overrideHeader of overrideHeaders) {
+ var client = new XMLHttpRequest()
+ client.open("POST",
+ `resources/inspect-headers.py?filter_name=${overrideHeader}`, false)
+ client.setRequestHeader(overrideHeader, permittedValue)
+ client.send(null)
+ assert_equals(client.responseText, overrideHeader + ": " + permittedValue + "\n")
+ }
+ }
+ })
+ </script>
+ </body>
+</html>