TestHarness: Allowed Request Headers by XHR

Allowed Request Headers by XHR using testharness.js

By
skeptic_fx 0 Seen 369 times
Tags
xhr testharness
Run this test now.

Results


Tested on
Chrome - 60 - Mac OS X
ResultTest NameMessage
PASSHeader: "accept-charset" should not be allowed
PASSHeader: "accept-encoding" should not be allowed
PASSHeader: "access-control-request-headers" should not be allowed
PASSHeader: "access-control-request-method" should not be allowed
PASSHeader: "connection" should not be allowed
PASSHeader: "content-length" should not be allowed
PASSHeader: "cookie" should not be allowed
PASSHeader: "cookie2" should not be allowed
PASSHeader: "date" should not be allowed
PASSHeader: "dnt" should not be allowed
PASSHeader: "expect" should not be allowed
PASSHeader: "host" should not be allowed
PASSHeader: "keep-alive" should not be allowed
PASSHeader: "origin" should not be allowed
PASSHeader: "referer" should not be allowed
PASSHeader: "te" should not be allowed
PASSHeader: "trailer" should not be allowed
PASSHeader: "transfer-encoding" should not be allowed
PASSHeader: "upgrade" should not be allowed
PASSHeader: "user-agent" should not be allowed
PASSHeader: "via" should not be allowed
PASSHeader: "proxy-" should not be allowed
PASSHeader: "proxy-xyz" should not be allowed
PASSHeader: "sec-" should not be allowed
PASSHeader: "sec-xyz" should not be allowed

Tested on
Chrome Mobile - 41 - Android
ResultTest NameMessage
PASSHeader: "accept-charset" should not be allowed
PASSHeader: "accept-encoding" should not be allowed
PASSHeader: "access-control-request-headers" should not be allowed
PASSHeader: "access-control-request-method" should not be allowed
PASSHeader: "connection" should not be allowed
PASSHeader: "content-length" should not be allowed
PASSHeader: "cookie" should not be allowed
PASSHeader: "cookie2" should not be allowed
PASSHeader: "date" should not be allowed
PASSHeader: "dnt" should not be allowed
PASSHeader: "expect" should not be allowed
PASSHeader: "host" should not be allowed
PASSHeader: "keep-alive" should not be allowed
PASSHeader: "origin" should not be allowed
PASSHeader: "referer" should not be allowed
PASSHeader: "te" should not be allowed
PASSHeader: "trailer" should not be allowed
PASSHeader: "transfer-encoding" should not be allowed
PASSHeader: "upgrade" should not be allowed
PASSHeader: "user-agent" should not be allowed
PASSHeader: "via" should not be allowed
PASSHeader: "proxy-" should not be allowed
PASSHeader: "proxy-xyz" should not be allowed
PASSHeader: "sec-" should not be allowed
PASSHeader: "sec-xyz" should not be allowed

Tested on
Chromium - 45 - Ubuntu
ResultTest NameMessage
PASSHeader: "accept-charset" should not be allowed
PASSHeader: "accept-encoding" should not be allowed
PASSHeader: "access-control-request-headers" should not be allowed
PASSHeader: "access-control-request-method" should not be allowed
PASSHeader: "connection" should not be allowed
PASSHeader: "content-length" should not be allowed
PASSHeader: "cookie" should not be allowed
PASSHeader: "cookie2" should not be allowed
PASSHeader: "date" should not be allowed
PASSHeader: "dnt" should not be allowed
PASSHeader: "expect" should not be allowed
PASSHeader: "host" should not be allowed
PASSHeader: "keep-alive" should not be allowed
PASSHeader: "origin" should not be allowed
PASSHeader: "referer" should not be allowed
PASSHeader: "te" should not be allowed
PASSHeader: "trailer" should not be allowed
PASSHeader: "transfer-encoding" should not be allowed
PASSHeader: "upgrade" should not be allowed
PASSHeader: "user-agent" should not be allowed
PASSHeader: "via" should not be allowed
PASSHeader: "proxy-" should not be allowed
PASSHeader: "proxy-xyz" should not be allowed
PASSHeader: "sec-" should not be allowed
PASSHeader: "sec-xyz" should not be allowed

Tested on
Firefox - 57 - Windows 7
ResultTest NameMessage
PASSHeader: "accept-charset" should not be allowed
PASSHeader: "accept-encoding" should not be allowed
PASSHeader: "access-control-request-headers" should not be allowed
PASSHeader: "access-control-request-method" should not be allowed
PASSHeader: "connection" should not be allowed
PASSHeader: "content-length" should not be allowed
PASSHeader: "cookie" should not be allowed
PASSHeader: "cookie2" should not be allowed
PASSHeader: "date" should not be allowed
PASSHeader: "dnt" should not be allowed
PASSHeader: "expect" should not be allowed
PASSHeader: "host" should not be allowed
PASSHeader: "keep-alive" should not be allowed
PASSHeader: "origin" should not be allowed
PASSHeader: "referer" should not be allowed
PASSHeader: "te" should not be allowed
PASSHeader: "trailer" should not be allowed
PASSHeader: "transfer-encoding" should not be allowed
PASSHeader: "upgrade" should not be allowed
FAILHeader: "user-agent" should not be allowedassert_false: Header 'user-agent' was allowed expected false got true
PASSHeader: "via" should not be allowed
PASSHeader: "proxy-" should not be allowed
PASSHeader: "proxy-xyz" should not be allowed
PASSHeader: "sec-" should not be allowed
PASSHeader: "sec-xyz" should not be allowed

Tested on
Googlebot - 2.1 - undefined
ResultTest NameMessage
PASSHeader: "accept-charset" should not be allowed
PASSHeader: "accept-encoding" should not be allowed
PASSHeader: "access-control-request-headers" should not be allowed
PASSHeader: "access-control-request-method" should not be allowed
PASSHeader: "connection" should not be allowed
PASSHeader: "content-length" should not be allowed
PASSHeader: "cookie" should not be allowed
PASSHeader: "cookie2" should not be allowed
PASSHeader: "date" should not be allowed
PASSHeader: "dnt" should not be allowed
PASSHeader: "expect" should not be allowed
PASSHeader: "host" should not be allowed
PASSHeader: "keep-alive" should not be allowed
PASSHeader: "origin" should not be allowed
PASSHeader: "referer" should not be allowed
PASSHeader: "te" should not be allowed
PASSHeader: "trailer" should not be allowed
PASSHeader: "transfer-encoding" should not be allowed
PASSHeader: "upgrade" should not be allowed
PASSHeader: "user-agent" should not be allowed
PASSHeader: "via" should not be allowed
PASSHeader: "proxy-" should not be allowed
PASSHeader: "proxy-xyz" should not be allowed
PASSHeader: "sec-" should not be allowed
PASSHeader: "sec-xyz" should not be allowed

Tested on
Safari - 7 - Mac OS X
ResultTest NameMessage
PASSHeader: "accept-charset" should not be allowed
PASSHeader: "accept-encoding" should not be allowed
PASSHeader: "access-control-request-headers" should not be allowed
PASSHeader: "access-control-request-method" should not be allowed
PASSHeader: "connection" should not be allowed
PASSHeader: "content-length" should not be allowed
PASSHeader: "cookie" should not be allowed
PASSHeader: "cookie2" should not be allowed
PASSHeader: "date" should not be allowed
PASSHeader: "dnt" should not be allowed
PASSHeader: "expect" should not be allowed
PASSHeader: "host" should not be allowed
PASSHeader: "keep-alive" should not be allowed
PASSHeader: "origin" should not be allowed
PASSHeader: "referer" should not be allowed
PASSHeader: "te" should not be allowed
PASSHeader: "trailer" should not be allowed
PASSHeader: "transfer-encoding" should not be allowed
PASSHeader: "upgrade" should not be allowed
PASSHeader: "user-agent" should not be allowed
PASSHeader: "via" should not be allowed
PASSHeader: "proxy-" should not be allowed
PASSHeader: "proxy-xyz" should not be allowed
PASSHeader: "sec-" should not be allowed
PASSHeader: "sec-xyz" should not be allowed

User Script (TESTHARNESS)

					
<html>
<head>
<script src="/public/js/testharness-domstorm.js"></script>

<script>
// The userScript for the Module
// W3C Testharness.js
// Turotial: http://darobin.github.io/test-harness-tutorial/docs/using-testharness.html
// W3c Platform Tests: https://github.com/w3c/web-platform-tests
    setup({
            allow_uncaught_exception: true
    });
    
        function shouldReturnFalse(val) {
            test(function() {
                var client = new XMLHttpRequest();
                client.open("GET", "/helper/headers?filter=TEST", false); // we send this synchronously for testing
                client.setRequestHeader(val, "TEST");
                client.send(null);
                var headers = JSON.parse(client.responseText);
                //                console.log(val);
                //                console.log(headers);
                assert_false(headers.hasOwnProperty(val), "Header '" + val + "' was allowed");
                //assert_own_property(headers, val);
            }, "Header: \"" + val + "\" should not be allowed");
        }

        var data = ["Accept-Charset", "Accept-Encoding", "Access-Control-Request-Headers", "Access-Control-Request-Method", "Connection", "Content-Length", "Cookie", "Cookie2", "Date", "DNT", "Expect", "Host", "Keep-Alive", "Origin", "Referer", "TE", "Trailer", "Transfer-Encoding", "Upgrade", "User-Agent", "Via", "Proxy-", "Proxy-XYZ", "Sec-", "Sec-XYZ"];

        for (var i = 0; i < data.length; i++) {
            var val = data[i].toLowerCase();
            shouldReturnFalse(val);
        };
</script>

</head>
<body>
Testing using W3C TestHarness.js for XHR Methods
</body>
</html>