This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser.
commit 22e361ad6d9b5dfa3d79ebd04ff1906d65be73bd Author: sunil mayya smayya@mozilla.com AuthorDate: Tue Oct 25 09:50:08 2022 +0000
Bug 1790311 - update WPT tests for request headers in XHR/Fetch. r=necko-reviewers,valentin, a=dmeehan
Depends on D157729
Differential Revision: https://phabricator.services.mozilla.com/D158257 --- .../api/basic/request-forbidden-headers.any.js | 54 ++++++++++++++++++++++ .../xhr/setrequestheader-header-forbidden.htm | 52 +++++++++++++++++++++ 2 files changed, 106 insertions(+)
diff --git a/testing/web-platform/tests/fetch/api/basic/request-forbidden-headers.any.js b/testing/web-platform/tests/fetch/api/basic/request-forbidden-headers.any.js index 5d85c4e62d32..fa5e277abe2f 100644 --- a/testing/web-platform/tests/fetch/api/basic/request-forbidden-headers.any.js +++ b/testing/web-platform/tests/fetch/api/basic/request-forbidden-headers.any.js @@ -16,6 +16,21 @@ function requestForbiddenHeaders(desc, forbiddenHeaders) { }, desc); }
+function requestValidOverrideHeaders(desc, validHeaders) { + var url = RESOURCES_DIR + "inspect-headers.py"; + var requestInit = {"headers": validHeaders} + var urlParameters = "?headers=" + Object.keys(validHeaders).join("|"); + + promise_test(function(test){ + return fetch(url + urlParameters, requestInit).then(function(resp) { + assert_equals(resp.status, 200, "HTTP status is 200"); + assert_equals(resp.type , "basic", "Response's type is basic"); + for (var header in validHeaders) + assert_equals(resp.headers.get("x-request-" + header), validHeaders[header], header + "is not skipped for non-forbidden methods"); + }); + }, desc); +} + requestForbiddenHeaders("Accept-Charset is a forbidden request header", {"Accept-Charset": "utf-8"}); requestForbiddenHeaders("Accept-Encoding is a forbidden request header", {"Accept-Encoding": ""});
@@ -41,3 +56,42 @@ requestForbiddenHeaders("Proxy- is a forbidden request header", {"Proxy-": "valu requestForbiddenHeaders("Proxy-Test is a forbidden request header", {"Proxy-Test": "value"}); requestForbiddenHeaders("Sec- is a forbidden request header", {"Sec-": "value"}); requestForbiddenHeaders("Sec-Test is a forbidden request header", {"Sec-Test": "value"}); + +let forbiddenMethods = [ + "TRACE", + "TRACK", + "CONNECT", + "trace", + "track", + "connect", + "trace,", + "GET,track ", + " connect", +]; + +let overrideHeaders = [ + "x-http-method-override", + "x-http-method", + "x-method-override", + "X-HTTP-METHOD-OVERRIDE", + "X-HTTP-METHOD", + "X-METHOD-OVERRIDE", +]; + +for (forbiddenMethod of forbiddenMethods) { + for (overrideHeader of overrideHeaders) { + requestForbiddenHeaders(`header ${overrideHeader} is forbidden to use value ${forbiddenMethod}`, {[overrideHeader]: forbiddenMethod}); + } +} + +let permittedValues = [ + "GETTRACE", + "GET", + "",TRACE",", +]; + +for (permittedValue of permittedValues) { + for (overrideHeader of overrideHeaders) { + requestValidOverrideHeaders(`header ${overrideHeader} is allowed to use value ${permittedValue}`, {[overrideHeader]: permittedValue}); + } +} diff --git a/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm b/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm index cc24d94499cc..0b273776bc10 100644 --- a/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm +++ b/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm @@ -37,6 +37,58 @@ client.setRequestHeader("Sec-X", "TEST") client.send(null) assert_equals(client.responseText, "") + }) + + test (function() { + + let forbiddenMethods = [ + "TRACE", + "TRACK", + "CONNECT", + "trace", + "track", + "connect", + "trace,", + "GET,track ", + " connect", + ]; + + let overrideHeaders = [ + "x-http-method-override", + "x-http-method", + "x-method-override", + "X-HTTP-METHOD-OVERRIDE", + "X-HTTP-METHOD", + "X-METHOD-OVERRIDE", + ]; + + for (forbiddenMethod of forbiddenMethods) { + for (overrideHeader of overrideHeaders) { + var client = new XMLHttpRequest() + client.open("POST", + `resources/inspect-headers.py?filter_value=${forbiddenMethod}`, false) + client.setRequestHeader(overrideHeader, forbiddenMethod) + client.send(null) + assert_equals(client.responseText, "") + } + } + + let permittedValues = [ + "GETTRACE", + "GET", + "",TRACE",", + ]; + + for (permittedValue of permittedValues) { + for (overrideHeader of overrideHeaders) { + var client = new XMLHttpRequest() + client.open("POST", + `resources/inspect-headers.py?filter_name=${overrideHeader}`, false) + client.setRequestHeader(overrideHeader, permittedValue) + client.send(null) + assert_equals(client.responseText, overrideHeader + ": " + permittedValue + "\n") + } + } }) </script> </body>