| <!DOCTYPE html> |
| <html> |
| <body> |
| <p>Test that setRequestHeader() can be used to alter security-sensitive headers in Dashboard compatibility mode. This test PASSED if you do not see any console warnings.</p> |
| <script> |
| if (window.testRunner) |
| testRunner.dumpAsText(); |
| if (window.internals.settings) |
| internals.settings.setUsesDashboardBackwardCompatibilityMode(true); |
| |
| req = new XMLHttpRequest; |
| req.open("GET", "resources/non-existent-file.txt", false); |
| |
| req.setRequestHeader("ACCEPT-CHARSET", "foobar"); |
| req.setRequestHeader("ACCEPT-ENCODING", "foobar"); |
| req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar"); |
| req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar"); |
| // AUTHORIZATION is no longer forbidden. See |
| // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to |
| // a value other than the foobar since some http servers (lighttp) do not |
| // strip this out (Apache does). |
| req.setRequestHeader("AUTHORIZATION", "baz"); |
| req.setRequestHeader("CONNECTION", "foobar"); |
| req.setRequestHeader("CONTENT-LENGTH", "123456"); |
| req.setRequestHeader("COOKIE", "foobar"); |
| req.setRequestHeader("COOKIE2", "foobar"); |
| req.setRequestHeader("DATE", "foobar"); |
| req.setRequestHeader("DNT", "foobar"); |
| req.setRequestHeader("EXPECT", "100-continue"); |
| req.setRequestHeader("HOST", "foobar"); |
| req.setRequestHeader("KEEP-ALIVE", "foobar"); |
| req.setRequestHeader("ORIGIN", "foobar"); |
| req.setRequestHeader("REFERER", "foobar"); |
| req.setRequestHeader("TE", "foobar"); |
| req.setRequestHeader("TRAILER", "foobar"); |
| req.setRequestHeader("TRANSFER-ENCODING", "foobar"); |
| req.setRequestHeader("UPGRADE", "foobar"); |
| req.setRequestHeader("VIA", "foobar"); |
| |
| req.setRequestHeader("Proxy-", "foobar"); |
| req.setRequestHeader("Proxy-test", "foobar"); |
| req.setRequestHeader("PROXY-FOO", "foobar"); |
| |
| req.setRequestHeader("Sec-", "foobar"); |
| req.setRequestHeader("Sec-test", "foobar"); |
| req.setRequestHeader("SEC-FOO", "foobar"); |
| </script> |
| </body> |
| </html> |