LayoutTests/fast/xmlhttprequest/set-dangerous-headers-from-file-when-setting-enabled.html - WebKit - Git at Google

 <!DOCTYPE html>
 <html>
 <body>
 <p>Test that setRequestHeader() can be used to alter security-sensitive headers when the setting allowSettingAnyXHRHeaderFromFileURLs is enabled. This test PASSED if you do not see any console warnings.</p>
 <script>
     if (window.testRunner)
         testRunner.dumpAsText();
     if (window.internals.settings)
         internals.settings.setAllowSettingAnyXHRHeaderFromFileURLs(true);

     req = new XMLHttpRequest;
     req.open("GET", "resources/non-existent-file.txt", false);

     req.setRequestHeader("ACCEPT-CHARSET", "foobar");
     req.setRequestHeader("ACCEPT-ENCODING", "foobar");
     req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar");
     req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar");
     // AUTHORIZATION is no longer forbidden. See
     // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to
     // a value other than the foobar since some http servers (lighttp) do not
     // strip this out (Apache does).
     req.setRequestHeader("AUTHORIZATION", "baz");
     req.setRequestHeader("CONNECTION", "foobar");
     req.setRequestHeader("CONTENT-LENGTH", "123456");
     req.setRequestHeader("COOKIE", "foobar");
     req.setRequestHeader("COOKIE2", "foobar");
     req.setRequestHeader("DATE", "foobar");
     req.setRequestHeader("DNT", "foobar");
     req.setRequestHeader("EXPECT", "100-continue");
     req.setRequestHeader("HOST", "foobar");
     req.setRequestHeader("KEEP-ALIVE", "foobar");
     req.setRequestHeader("ORIGIN", "foobar");
     req.setRequestHeader("REFERER", "foobar");
     req.setRequestHeader("TE", "foobar");
     req.setRequestHeader("TRAILER", "foobar");
     req.setRequestHeader("TRANSFER-ENCODING", "foobar");
     req.setRequestHeader("UPGRADE", "foobar");
     req.setRequestHeader("VIA", "foobar");

     req.setRequestHeader("Proxy-", "foobar");
     req.setRequestHeader("Proxy-test", "foobar");
     req.setRequestHeader("PROXY-FOO", "foobar");

     req.setRequestHeader("Sec-", "foobar");
     req.setRequestHeader("Sec-test", "foobar");
     req.setRequestHeader("SEC-FOO", "foobar");
 </script>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<body>
	<p>Test that setRequestHeader() can be used to alter security-sensitive headers when the setting allowSettingAnyXHRHeaderFromFileURLs is enabled. This test PASSED if you do not see any console warnings.</p>
	<script>
	if (window.testRunner)
	testRunner.dumpAsText();
	if (window.internals.settings)
	internals.settings.setAllowSettingAnyXHRHeaderFromFileURLs(true);

	req = new XMLHttpRequest;
	req.open("GET", "resources/non-existent-file.txt", false);

	req.setRequestHeader("ACCEPT-CHARSET", "foobar");
	req.setRequestHeader("ACCEPT-ENCODING", "foobar");
	req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar");
	req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar");
	// AUTHORIZATION is no longer forbidden. See
	// https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to
	// a value other than the foobar since some http servers (lighttp) do not
	// strip this out (Apache does).
	req.setRequestHeader("AUTHORIZATION", "baz");
	req.setRequestHeader("CONNECTION", "foobar");
	req.setRequestHeader("CONTENT-LENGTH", "123456");
	req.setRequestHeader("COOKIE", "foobar");
	req.setRequestHeader("COOKIE2", "foobar");
	req.setRequestHeader("DATE", "foobar");
	req.setRequestHeader("DNT", "foobar");
	req.setRequestHeader("EXPECT", "100-continue");
	req.setRequestHeader("HOST", "foobar");
	req.setRequestHeader("KEEP-ALIVE", "foobar");
	req.setRequestHeader("ORIGIN", "foobar");
	req.setRequestHeader("REFERER", "foobar");
	req.setRequestHeader("TE", "foobar");
	req.setRequestHeader("TRAILER", "foobar");
	req.setRequestHeader("TRANSFER-ENCODING", "foobar");
	req.setRequestHeader("UPGRADE", "foobar");
	req.setRequestHeader("VIA", "foobar");

	req.setRequestHeader("Proxy-", "foobar");
	req.setRequestHeader("Proxy-test", "foobar");
	req.setRequestHeader("PROXY-FOO", "foobar");

	req.setRequestHeader("Sec-", "foobar");
	req.setRequestHeader("Sec-test", "foobar");
	req.setRequestHeader("SEC-FOO", "foobar");
	</script>
	</body>
	</html>