request-forbidden-headers.any.js (3925B)
1 // META: global=window,worker 2 // META: script=../resources/utils.js 3 4 function requestValidOverrideHeaders(desc, validHeaders) { 5 var url = RESOURCES_DIR + "inspect-headers.py"; 6 var requestInit = {"headers": validHeaders} 7 var urlParameters = "?headers=" + Object.keys(validHeaders).join("|"); 8 9 promise_test(function(test){ 10 return fetch(url + urlParameters, requestInit).then(function(resp) { 11 assert_equals(resp.status, 200, "HTTP status is 200"); 12 assert_equals(resp.type , "basic", "Response's type is basic"); 13 for (var header in validHeaders) 14 assert_equals(resp.headers.get("x-request-" + header), validHeaders[header], header + "is not skipped for non-forbidden methods"); 15 }); 16 }, desc); 17 } 18 19 requestForbiddenHeaders("Accept-Charset is a forbidden request header", {"Accept-Charset": "utf-8"}); 20 requestForbiddenHeaders("Accept-Encoding is a forbidden request header", {"Accept-Encoding": ""}); 21 22 requestForbiddenHeaders("Access-Control-Request-Headers is a forbidden request header", {"Access-Control-Request-Headers": ""}); 23 requestForbiddenHeaders("Access-Control-Request-Method is a forbidden request header", {"Access-Control-Request-Method": ""}); 24 requestForbiddenHeaders("Connection is a forbidden request header", {"Connection": "close"}); 25 requestForbiddenHeaders("Content-Length is a forbidden request header", {"Content-Length": "42"}); 26 requestForbiddenHeaders("Cookie is a forbidden request header", {"Cookie": "cookie=none"}); 27 requestForbiddenHeaders("Cookie2 is a forbidden request header", {"Cookie2": "cookie2=none"}); 28 requestForbiddenHeaders("Date is a forbidden request header", {"Date": "Wed, 04 May 1988 22:22:22 GMT"}); 29 requestForbiddenHeaders("DNT is a forbidden request header", {"DNT": "4"}); 30 requestForbiddenHeaders("Expect is a forbidden request header", {"Expect": "100-continue"}); 31 requestForbiddenHeaders("Host is a forbidden request header", {"Host": "http://wrong-host.com"}); 32 requestForbiddenHeaders("Keep-Alive is a forbidden request header", {"Keep-Alive": "timeout=15"}); 33 requestForbiddenHeaders("Origin is a forbidden request header", {"Origin": "http://wrong-origin.com"}); 34 requestForbiddenHeaders("Referer is a forbidden request header", {"Referer": "http://wrong-referer.com"}); 35 requestForbiddenHeaders("TE is a forbidden request header", {"TE": "trailers"}); 36 requestForbiddenHeaders("Trailer is a forbidden request header", {"Trailer": "Accept"}); 37 requestForbiddenHeaders("Transfer-Encoding is a forbidden request header", {"Transfer-Encoding": "chunked"}); 38 requestForbiddenHeaders("Upgrade is a forbidden request header", {"Upgrade": "HTTP/2.0"}); 39 requestForbiddenHeaders("Via is a forbidden request header", {"Via": "1.1 nowhere.com"}); 40 requestForbiddenHeaders("Proxy- is a forbidden request header", {"Proxy-": "value"}); 41 requestForbiddenHeaders("Proxy-Test is a forbidden request header", {"Proxy-Test": "value"}); 42 requestForbiddenHeaders("Sec- is a forbidden request header", {"Sec-": "value"}); 43 requestForbiddenHeaders("Sec-Test is a forbidden request header", {"Sec-Test": "value"}); 44 45 let forbiddenMethods = [ 46 "TRACE", 47 "TRACK", 48 "CONNECT", 49 "trace", 50 "track", 51 "connect", 52 "trace,", 53 "GET,track ", 54 " connect", 55 ]; 56 57 let overrideHeaders = [ 58 "x-http-method-override", 59 "x-http-method", 60 "x-method-override", 61 "X-HTTP-METHOD-OVERRIDE", 62 "X-HTTP-METHOD", 63 "X-METHOD-OVERRIDE", 64 ]; 65 66 for (forbiddenMethod of forbiddenMethods) { 67 for (overrideHeader of overrideHeaders) { 68 requestForbiddenHeaders(`header ${overrideHeader} is forbidden to use value ${forbiddenMethod}`, {[overrideHeader]: forbiddenMethod}); 69 } 70 } 71 72 let permittedValues = [ 73 "GETTRACE", 74 "GET", 75 "\",TRACE\",", 76 ]; 77 78 for (permittedValue of permittedValues) { 79 for (overrideHeader of overrideHeaders) { 80 requestValidOverrideHeaders(`header ${overrideHeader} is allowed to use value ${permittedValue}`, {[overrideHeader]: permittedValue}); 81 } 82 }