[tor-commits] [tor-browser] 09/14: Bug 1790311 - update WPT tests for request headers in XHR/Fetch. r=necko-reviewers, valentin, a=dmeehan

gitolite role git at cupani.torproject.org
Thu Nov 17 14:03:48 UTC 2022


This is an automated email from the git hooks/post-receive script.

richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1
in repository tor-browser.

commit 22e361ad6d9b5dfa3d79ebd04ff1906d65be73bd
Author: sunil mayya <smayya at mozilla.com>
AuthorDate: Tue Oct 25 09:50:08 2022 +0000

    Bug 1790311 - update WPT tests for request headers in XHR/Fetch. r=necko-reviewers,valentin, a=dmeehan
    
    Depends on D157729
    
    Differential Revision: https://phabricator.services.mozilla.com/D158257
---
 .../api/basic/request-forbidden-headers.any.js     | 54 ++++++++++++++++++++++
 .../xhr/setrequestheader-header-forbidden.htm      | 52 +++++++++++++++++++++
 2 files changed, 106 insertions(+)

diff --git a/testing/web-platform/tests/fetch/api/basic/request-forbidden-headers.any.js b/testing/web-platform/tests/fetch/api/basic/request-forbidden-headers.any.js
index 5d85c4e62d32..fa5e277abe2f 100644
--- a/testing/web-platform/tests/fetch/api/basic/request-forbidden-headers.any.js
+++ b/testing/web-platform/tests/fetch/api/basic/request-forbidden-headers.any.js
@@ -16,6 +16,21 @@ function requestForbiddenHeaders(desc, forbiddenHeaders) {
   }, desc);
 }
 
+function requestValidOverrideHeaders(desc, validHeaders) {
+  var url = RESOURCES_DIR + "inspect-headers.py";
+  var requestInit = {"headers": validHeaders}
+  var urlParameters = "?headers=" + Object.keys(validHeaders).join("|");
+
+  promise_test(function(test){
+    return fetch(url + urlParameters, requestInit).then(function(resp) {
+      assert_equals(resp.status, 200, "HTTP status is 200");
+      assert_equals(resp.type , "basic", "Response's type is basic");
+      for (var header in validHeaders)
+        assert_equals(resp.headers.get("x-request-" + header), validHeaders[header], header + "is not skipped for non-forbidden methods");
+    });
+  }, desc);
+}
+
 requestForbiddenHeaders("Accept-Charset is a forbidden request header", {"Accept-Charset": "utf-8"});
 requestForbiddenHeaders("Accept-Encoding is a forbidden request header", {"Accept-Encoding": ""});
 
@@ -41,3 +56,42 @@ requestForbiddenHeaders("Proxy- is a forbidden request header", {"Proxy-": "valu
 requestForbiddenHeaders("Proxy-Test is a forbidden request header", {"Proxy-Test": "value"});
 requestForbiddenHeaders("Sec- is a forbidden request header", {"Sec-": "value"});
 requestForbiddenHeaders("Sec-Test is a forbidden request header", {"Sec-Test": "value"});
+
+let forbiddenMethods = [
+  "TRACE",
+  "TRACK",
+  "CONNECT",
+  "trace",
+  "track",
+  "connect",
+  "trace,",
+  "GET,track ",
+  " connect",
+];
+
+let overrideHeaders = [
+  "x-http-method-override",
+  "x-http-method",
+  "x-method-override",
+  "X-HTTP-METHOD-OVERRIDE",
+  "X-HTTP-METHOD",
+  "X-METHOD-OVERRIDE",
+];
+
+for (forbiddenMethod of forbiddenMethods) {
+    for (overrideHeader of overrideHeaders) {
+       requestForbiddenHeaders(`header ${overrideHeader} is forbidden to use value ${forbiddenMethod}`, {[overrideHeader]: forbiddenMethod});
+    }
+}
+
+let permittedValues = [
+  "GETTRACE",
+  "GET",
+  "\",TRACE\",",
+];
+
+for (permittedValue of permittedValues) {
+    for (overrideHeader of overrideHeaders) {
+       requestValidOverrideHeaders(`header ${overrideHeader} is allowed to use value ${permittedValue}`, {[overrideHeader]: permittedValue});
+    }
+}
diff --git a/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm b/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm
index cc24d94499cc..0b273776bc10 100644
--- a/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm
+++ b/testing/web-platform/tests/xhr/setrequestheader-header-forbidden.htm
@@ -37,6 +37,58 @@
         client.setRequestHeader("Sec-X", "TEST")
         client.send(null)
         assert_equals(client.responseText, "")
+        })
+
+        test (function() {
+
+        let forbiddenMethods = [
+          "TRACE",
+          "TRACK",
+          "CONNECT",
+          "trace",
+          "track",
+          "connect",
+          "trace,",
+          "GET,track ",
+          " connect",
+        ];
+
+        let overrideHeaders = [
+          "x-http-method-override",
+          "x-http-method",
+          "x-method-override",
+          "X-HTTP-METHOD-OVERRIDE",
+          "X-HTTP-METHOD",
+          "X-METHOD-OVERRIDE",
+        ];
+
+        for (forbiddenMethod of forbiddenMethods) {
+          for (overrideHeader of overrideHeaders) {
+             var client = new XMLHttpRequest()
+             client.open("POST",
+                     `resources/inspect-headers.py?filter_value=${forbiddenMethod}`, false)
+             client.setRequestHeader(overrideHeader, forbiddenMethod)
+             client.send(null)
+             assert_equals(client.responseText, "")
+          }
+        }
+
+        let permittedValues = [
+        "GETTRACE",
+        "GET",
+        "\",TRACE\",",
+        ];
+
+        for (permittedValue of permittedValues) {
+          for (overrideHeader of overrideHeaders) {
+             var client = new XMLHttpRequest()
+             client.open("POST",
+                     `resources/inspect-headers.py?filter_name=${overrideHeader}`, false)
+             client.setRequestHeader(overrideHeader, permittedValue)
+             client.send(null)
+             assert_equals(client.responseText, overrideHeader + ": " + permittedValue + "\n")
+          }
+        }
       })
     </script>
   </body>

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the tor-commits mailing list