blob: 9419e7957058e6c834d06c4e7d91b7ab44dd1fc2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
<html>
<script>
function testInvalidMethod() {
var result = 'FAILURE';
var req = new XMLHttpRequest();
try {
req.open('test\r\nfoobar', window.location, true)
} catch (e) {
if (e.code == DOMException.SYNTAX_ERR)
result = 'SUCCESS';
}
debug('testInvalidMethod: ' + result);
}
function testInvalidHeaderName() {
var result = 'FAILURE';
var req = new XMLHttpRequest();
req.open('GET', window.location, true)
try {
req.setRequestHeader("host:", "example.com");
} catch (e) {
if (e.code == DOMException.SYNTAX_ERR)
result = 'SUCCESS';
}
debug('testInvalidHeaderName: ' + result);
}
function testInvalidHeaderValues() {
var result = 'FAILURE';
var successCount = 0;
var req = new XMLHttpRequest();
req.open('GET', window.location, true)
try {
req.setRequestHeader("X-Hack", "Test\r\nHost: www.example.com\r\n\r\nGET / HTTP/1.1");
} catch (e) {
if (e.code == DOMException.SYNTAX_ERR)
successCount++;
}
try {
req.setRequestHeader("X-Hack", "Test\nHost: www.example.com\n\nGET / HTTP/1.1");
} catch (e) {
if (e.code == DOMException.SYNTAX_ERR)
successCount++;
}
try {
req.setRequestHeader("X-Hack", "Test\rHost: www.example.com\r\rGET / HTTP/1.1");
} catch (e) {
if (e.code == DOMException.SYNTAX_ERR)
successCount++;
}
if (successCount == 3)
result = 'SUCCESS';
debug('testInvalidHeaderValues: ' + result);
}
function debug(str) {
var console = document.getElementById('console');
var li = document.createElement('li');
li.appendChild(document.createTextNode(str));
console.appendChild(li);
}
function runTest() {
if (window.testRunner)
testRunner.dumpAsText();
testInvalidMethod();
testInvalidHeaderName();
testInvalidHeaderValues();
}
</script>
<body onload="runTest()">
This tests that setting invalid header names, values and using an invalid method causes XMLHttpRequest to throw the appropriate exceptions.
</body>
<ul id="console">
</ul>
</html>
|