Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/xmlhttprequest/set-dangerous-headers.html 

<html>
<body>
<p>Test that setRequestHeader cannot be used to alter security-sensitive headers.</p>
<pre id=result>FAIL: script didn't run or raised an unexpected exception.</pre>
<script>
    if (window.testRunner)
        testRunner.dumpAsText();
    
    req = new XMLHttpRequest;
    req.open("GET", "resources/print-headers.cgi", false);

    req.setRequestHeader("ACCEPT-CHARSET", "foobar");
    req.setRequestHeader("ACCEPT-ENCODING", "foobar");
    req.setRequestHeader("ACCESS-CONTROL-REQUEST-HEADERS", "foobar");
    req.setRequestHeader("ACCESS-CONTROL-REQUEST-METHOD", "foobar");
    req.setRequestHeader("ACCESS-CONTROL-REQUEST-PRIVATE-NETWORK", "true");
    // AUTHORIZATION is no longer forbidden. See
    // https://bugs.webkit.org/show_bug.cgi?id=24957 for more details. Set to
    // a value other than the foobar since some http servers (lighttp) do not
    // strip this out (Apache does).
    req.setRequestHeader("AUTHORIZATION", "baz");
    req.setRequestHeader("CONNECTION", "foobar");
    req.setRequestHeader("CONTENT-LENGTH", "123456");
    req.setRequestHeader("COOKIE", "foobar");
    req.setRequestHeader("COOKIE2", "foobar");
    req.setRequestHeader("DATE", "foobar");
    req.setRequestHeader("DNT", "foobar");
    req.setRequestHeader("EXPECT", "100-continue");
    req.setRequestHeader("HOST", "foobar");
    req.setRequestHeader("KEEP-ALIVE", "foobar");
    req.setRequestHeader("ORIGIN", "foobar");
    req.setRequestHeader("REFERER", "foobar");
    req.setRequestHeader("TE", "foobar");
    req.setRequestHeader("TRAILER", "foobar");
    req.setRequestHeader("TRANSFER-ENCODING", "foobar");
    req.setRequestHeader("UPGRADE", "foobar");
    req.setRequestHeader("USER-AGENT", "foobar");
    req.setRequestHeader("VIA", "foobar");

    req.setRequestHeader("Proxy-", "foobar");
    req.setRequestHeader("Proxy-test", "foobar");
    req.setRequestHeader("PROXY-FOO", "foobar");

    req.setRequestHeader("Sec-", "foobar");
    req.setRequestHeader("Sec-test", "foobar");
    req.setRequestHeader("SEC-FOO", "foobar");

    try {
        req.send("");
        if (req.responseText.match("100-continue|foobar|123456"))
            document.getElementById("result").textContent = req.responseText;
        else
            document.getElementById("result").textContent = "SUCCESS";
    } catch (ex) {
        document.getElementById("result").textContent = ex;
    }
</script>
</body>
</html>