setrequestheader-header-forbidden.htm (3332B)
1 <!doctype html> 2 <html> 3 <head> 4 <title>XMLHttpRequest: setRequestHeader() - headers that are forbidden</title> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <link rel="help" href="https://xhr.spec.whatwg.org/#the-setrequestheader()-method"> 8 9 </head> 10 <body> 11 <div id="log"></div> 12 <script> 13 test(function() { 14 var client = new XMLHttpRequest() 15 client.open("POST", "resources/inspect-headers.py?filter_value=TEST", false) 16 client.setRequestHeader("Accept-Charset", "TEST") 17 client.setRequestHeader("Accept-Encoding", "TEST") 18 client.setRequestHeader("Connection", "TEST") 19 client.setRequestHeader("Content-Length", "TEST") 20 client.setRequestHeader("Cookie", "TEST") 21 client.setRequestHeader("Cookie2", "TEST") 22 client.setRequestHeader("Date", "TEST") 23 client.setRequestHeader("DNT", "TEST") 24 client.setRequestHeader("Expect", "TEST") 25 client.setRequestHeader("Host", "TEST") 26 client.setRequestHeader("Keep-Alive", "TEST") 27 client.setRequestHeader("Referer", "TEST") 28 client.setRequestHeader("TE", "TEST") 29 client.setRequestHeader("Trailer", "TEST") 30 client.setRequestHeader("Transfer-Encoding", "TEST") 31 client.setRequestHeader("Upgrade", "TEST") 32 client.setRequestHeader("Via", "TEST") 33 client.setRequestHeader("Proxy-", "TEST") 34 client.setRequestHeader("Proxy-LIES", "TEST") 35 client.setRequestHeader("Proxy-Authorization", "TEST") 36 client.setRequestHeader("Sec-", "TEST") 37 client.setRequestHeader("Sec-X", "TEST") 38 client.send(null) 39 assert_equals(client.responseText, "") 40 }) 41 42 test (function() { 43 44 let forbiddenMethods = [ 45 "TRACE", 46 "TRACK", 47 "CONNECT", 48 "trace", 49 "track", 50 "connect", 51 "trace,", 52 "GET,track ", 53 " connect", 54 ]; 55 56 let overrideHeaders = [ 57 "x-http-method-override", 58 "x-http-method", 59 "x-method-override", 60 "X-HTTP-METHOD-OVERRIDE", 61 "X-HTTP-METHOD", 62 "X-METHOD-OVERRIDE", 63 ]; 64 65 for (forbiddenMethod of forbiddenMethods) { 66 for (overrideHeader of overrideHeaders) { 67 var client = new XMLHttpRequest() 68 client.open("POST", 69 `resources/inspect-headers.py?filter_value=${forbiddenMethod}`, false) 70 client.setRequestHeader(overrideHeader, forbiddenMethod) 71 client.send(null) 72 assert_equals(client.responseText, "") 73 } 74 } 75 76 let permittedValues = [ 77 "GETTRACE", 78 "GET", 79 "\",TRACE\",", 80 ]; 81 82 for (permittedValue of permittedValues) { 83 for (overrideHeader of overrideHeaders) { 84 var client = new XMLHttpRequest() 85 client.open("POST", 86 `resources/inspect-headers.py?filter_name=${overrideHeader}`, false) 87 client.setRequestHeader(overrideHeader, permittedValue) 88 client.send(null) 89 assert_equals(client.responseText, overrideHeader + ": " + permittedValue + "\n") 90 } 91 } 92 }) 93 </script> 94 </body> 95 </html>