LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers.html - WebKit - Git at Google

 <html>
 <body>
 <p>Test that setRequestHeader cannot be used to alter security-sensitive headers.</p>
 <pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre>
 <script>
     if (window.layoutTestController)
         layoutTestController.dumpAsText();

     req = new XMLHttpRequest;
     req.open("GET", "resources/print-headers.cgi", false);

     req.setRequestHeader("ACCEPT-CHARSET", "foobar");
     req.setRequestHeader("ACCEPT-ENCODING", "foobar");
     req.setRequestHeader("CONTENT-LENGTH", "123456");
     req.setRequestHeader("EXPECT", "100-continue");
     req.setRequestHeader("DATE", "foobar");
     req.setRequestHeader("HOST", "foobar");
     req.setRequestHeader("KEEP-ALIVE", "foobar");
     req.setRequestHeader("REFERER", "foobar");
     req.setRequestHeader("TE", "foobar");
     req.setRequestHeader("TRAILER", "foobar");
     req.setRequestHeader("TRANSFER-ENCODING", "foobar");
     req.setRequestHeader("UPGRADE", "foobar");
     req.setRequestHeader("VIA", "foobar");

     try {
         req.send("");
         if (req.responseText.match("100-continue|foobar|123456"))
             document.getElementById("result").textContent = req.responseText;
         else
             document.getElementById("result").textContent = "SUCCESS";
     } catch (ex) {
         document.getElementById("result").textContent = ex;
     }
 </script>
 </body>
 </html>
	<html>
	<body>
	<p>Test that setRequestHeader cannot be used to alter security-sensitive headers.</p>
	<pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre>
	<script>
	if (window.layoutTestController)
	layoutTestController.dumpAsText();

	req = new XMLHttpRequest;
	req.open("GET", "resources/print-headers.cgi", false);

	req.setRequestHeader("ACCEPT-CHARSET", "foobar");
	req.setRequestHeader("ACCEPT-ENCODING", "foobar");
	req.setRequestHeader("CONTENT-LENGTH", "123456");
	req.setRequestHeader("EXPECT", "100-continue");
	req.setRequestHeader("DATE", "foobar");
	req.setRequestHeader("HOST", "foobar");
	req.setRequestHeader("KEEP-ALIVE", "foobar");
	req.setRequestHeader("REFERER", "foobar");
	req.setRequestHeader("TE", "foobar");
	req.setRequestHeader("TRAILER", "foobar");
	req.setRequestHeader("TRANSFER-ENCODING", "foobar");
	req.setRequestHeader("UPGRADE", "foobar");
	req.setRequestHeader("VIA", "foobar");

	try {
	req.send("");
	if (req.responseText.match("100-continue\|foobar\|123456"))
	document.getElementById("result").textContent = req.responseText;
	else
	document.getElementById("result").textContent = "SUCCESS";
	} catch (ex) {
	document.getElementById("result").textContent = ex;
	}
	</script>
	</body>
	</html>