- Revision
- 222817
- Author
- dba...@webkit.org
- Date
- 2017-10-03 16:12:34 -0700 (Tue, 03 Oct 2017)
Log Message
XMLHttpRequest.setRequestHeader() should allow Content-Transfer-Encoding header; remove
duplicate logic to check for a forbidden XHR header field
https://bugs.webkit.org/show_bug.cgi?id=177829
<rdar://problem/34798441>
LayoutTests/imported/w3c:
Update expected result now that we match the XHR standard, <https://xhr.spec.whatwg.org> (09/08/2017).
We no longer consider Content-Transfer-Encoding and User-Agent forbidden headers as per
the standard.
* web-platform-tests/XMLHttpRequest/setrequestheader-header-allowed-expected.txt:
LayoutTests:
Update tests and expected results now that we match the XHR standard, <https://xhr.spec.whatwg.org> (09/08/2017).
We no longer consider Content-Transfer-Encoding and User-Agent forbidden headers as per
the standard.
* fast/xmlhttprequest/set-dangerous-headers-expected.txt:
* fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html:
* fast/xmlhttprequest/set-dangerous-headers.html:
* http/tests/xmlhttprequest/check-combining-headers-expected.txt:
* http/tests/xmlhttprequest/set-dangerous-headers-expected.txt:
* http/tests/xmlhttprequest/set-dangerous-headers.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (222816 => 222817)
--- trunk/LayoutTests/ChangeLog 2017-10-03 23:08:27 UTC (rev 222816)
+++ trunk/LayoutTests/ChangeLog 2017-10-03 23:12:34 UTC (rev 222817)
@@ -1,3 +1,22 @@
+2017-10-03 Daniel Bates <daba...@apple.com>
+
+ XMLHttpRequest.setRequestHeader() should allow Content-Transfer-Encoding header; remove
+ duplicate logic to check for a forbidden XHR header field
+ https://bugs.webkit.org/show_bug.cgi?id=177829
+ <rdar://problem/34798441>
+
+ Update tests and expected results now that we match the XHR standard, <https://xhr.spec.whatwg.org> (09/08/2017).
+
+ We no longer consider Content-Transfer-Encoding and User-Agent forbidden headers as per
+ the standard.
+
+ * fast/xmlhttprequest/set-dangerous-headers-expected.txt:
+ * fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html:
+ * fast/xmlhttprequest/set-dangerous-headers.html:
+ * http/tests/xmlhttprequest/check-combining-headers-expected.txt:
+ * http/tests/xmlhttprequest/set-dangerous-headers-expected.txt:
+ * http/tests/xmlhttprequest/set-dangerous-headers.html:
+
2017-10-03 Megan Gardner <megan_gard...@apple.com>
Add long press and drag test
Modified: trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-expected.txt (222816 => 222817)
--- trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-expected.txt 2017-10-03 23:08:27 UTC (rev 222816)
+++ trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-expected.txt 2017-10-03 23:12:34 UTC (rev 222817)
@@ -4,24 +4,24 @@
CONSOLE MESSAGE: line 15: Refused to set unsafe header "ACCESS-CONTROL-REQUEST-METHOD"
CONSOLE MESSAGE: line 21: Refused to set unsafe header "CONNECTION"
CONSOLE MESSAGE: line 22: Refused to set unsafe header "CONTENT-LENGTH"
-CONSOLE MESSAGE: line 25: Refused to set unsafe header "COOKIE"
-CONSOLE MESSAGE: line 26: Refused to set unsafe header "COOKIE2"
-CONSOLE MESSAGE: line 27: Refused to set unsafe header "DATE"
-CONSOLE MESSAGE: line 28: Refused to set unsafe header "DNT"
-CONSOLE MESSAGE: line 29: Refused to set unsafe header "EXPECT"
-CONSOLE MESSAGE: line 30: Refused to set unsafe header "HOST"
-CONSOLE MESSAGE: line 31: Refused to set unsafe header "KEEP-ALIVE"
-CONSOLE MESSAGE: line 32: Refused to set unsafe header "ORIGIN"
-CONSOLE MESSAGE: line 33: Refused to set unsafe header "REFERER"
-CONSOLE MESSAGE: line 34: Refused to set unsafe header "TE"
-CONSOLE MESSAGE: line 35: Refused to set unsafe header "TRAILER"
-CONSOLE MESSAGE: line 36: Refused to set unsafe header "TRANSFER-ENCODING"
-CONSOLE MESSAGE: line 37: Refused to set unsafe header "UPGRADE"
-CONSOLE MESSAGE: line 39: Refused to set unsafe header "VIA"
-CONSOLE MESSAGE: line 41: Refused to set unsafe header "Proxy-"
-CONSOLE MESSAGE: line 42: Refused to set unsafe header "Proxy-test"
-CONSOLE MESSAGE: line 43: Refused to set unsafe header "PROXY-FOO"
-CONSOLE MESSAGE: line 45: Refused to set unsafe header "Sec-"
-CONSOLE MESSAGE: line 46: Refused to set unsafe header "Sec-test"
-CONSOLE MESSAGE: line 47: Refused to set unsafe header "SEC-FOO"
+CONSOLE MESSAGE: line 23: Refused to set unsafe header "COOKIE"
+CONSOLE MESSAGE: line 24: Refused to set unsafe header "COOKIE2"
+CONSOLE MESSAGE: line 25: Refused to set unsafe header "DATE"
+CONSOLE MESSAGE: line 26: Refused to set unsafe header "DNT"
+CONSOLE MESSAGE: line 27: Refused to set unsafe header "EXPECT"
+CONSOLE MESSAGE: line 28: Refused to set unsafe header "HOST"
+CONSOLE MESSAGE: line 29: Refused to set unsafe header "KEEP-ALIVE"
+CONSOLE MESSAGE: line 30: Refused to set unsafe header "ORIGIN"
+CONSOLE MESSAGE: line 31: Refused to set unsafe header "REFERER"
+CONSOLE MESSAGE: line 32: Refused to set unsafe header "TE"
+CONSOLE MESSAGE: line 33: Refused to set unsafe header "TRAILER"
+CONSOLE MESSAGE: line 34: Refused to set unsafe header "TRANSFER-ENCODING"
+CONSOLE MESSAGE: line 35: Refused to set unsafe header "UPGRADE"
+CONSOLE MESSAGE: line 37: Refused to set unsafe header "VIA"
+CONSOLE MESSAGE: line 39: Refused to set unsafe header "Proxy-"
+CONSOLE MESSAGE: line 40: Refused to set unsafe header "Proxy-test"
+CONSOLE MESSAGE: line 41: Refused to set unsafe header "PROXY-FOO"
+CONSOLE MESSAGE: line 43: Refused to set unsafe header "Sec-"
+CONSOLE MESSAGE: line 44: Refused to set unsafe header "Sec-test"
+CONSOLE MESSAGE: line 45: Refused to set unsafe header "SEC-FOO"
Test that setRequestHeader() cannot be used to alter security-sensitive headers. This test PASSED if you see console warnings.
Modified: trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html (222816 => 222817)
--- trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html 2017-10-03 23:08:27 UTC (rev 222816)
+++ trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers-in-dashboard.html 2017-10-03 23:12:34 UTC (rev 222817)
@@ -35,7 +35,6 @@
req.setRequestHeader("TRAILER", "foobar");
req.setRequestHeader("TRANSFER-ENCODING", "foobar");
req.setRequestHeader("UPGRADE", "foobar");
- req.setRequestHeader("USER-AGENT", "foobar");
req.setRequestHeader("VIA", "foobar");
req.setRequestHeader("Proxy-", "foobar");
Modified: trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers.html (222816 => 222817)
--- trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers.html 2017-10-03 23:08:27 UTC (rev 222816)
+++ trunk/LayoutTests/fast/xmlhttprequest/set-dangerous-headers.html 2017-10-03 23:12:34 UTC (rev 222817)
@@ -33,7 +33,6 @@
req.setRequestHeader("TRAILER", "foobar");
req.setRequestHeader("TRANSFER-ENCODING", "foobar");
req.setRequestHeader("UPGRADE", "foobar");
- req.setRequestHeader("USER-AGENT", "foobar");
req.setRequestHeader("VIA", "foobar");
req.setRequestHeader("Proxy-", "foobar");
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/check-combining-headers-expected.txt (222816 => 222817)
--- trunk/LayoutTests/http/tests/xmlhttprequest/check-combining-headers-expected.txt 2017-10-03 23:08:27 UTC (rev 222816)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/check-combining-headers-expected.txt 2017-10-03 23:12:34 UTC (rev 222817)
@@ -1,12 +1,8 @@
-CONSOLE MESSAGE: line 16: Refused to set unsafe header "User-Agent"
-CONSOLE MESSAGE: line 17: Refused to set unsafe header "User-Agent"
-CONSOLE MESSAGE: line 16: Refused to set unsafe header "Content-Transfer-Encoding"
-CONSOLE MESSAGE: line 17: Refused to set unsafe header "Content-Transfer-Encoding"
PASS XMLHttpRequest: setRequestHeader() - combining headers (Authorization)
PASS XMLHttpRequest: setRequestHeader() - combining headers (Pragma)
FAIL XMLHttpRequest: setRequestHeader() - combining headers (User-Agent) assert_true: Combined header value should be t1, t2 expected true got false
-FAIL XMLHttpRequest: setRequestHeader() - combining headers (Content-Transfer-Encoding) assert_equals: Combined header value should be t1, t2 expected (string) "t1, t2" but got (undefined) undefined
+PASS XMLHttpRequest: setRequestHeader() - combining headers (Content-Transfer-Encoding)
PASS XMLHttpRequest: setRequestHeader() - combining headers (Content-Type)
PASS XMLHttpRequest: setRequestHeader() - combining headers (Overwrite)
PASS XMLHttpRequest: setRequestHeader() - combining headers (If)
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers-expected.txt (222816 => 222817)
--- trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers-expected.txt 2017-10-03 23:08:27 UTC (rev 222816)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers-expected.txt 2017-10-03 23:12:34 UTC (rev 222817)
@@ -4,26 +4,26 @@
CONSOLE MESSAGE: line 15: Refused to set unsafe header "ACCESS-CONTROL-REQUEST-METHOD"
CONSOLE MESSAGE: line 21: Refused to set unsafe header "CONNECTION"
CONSOLE MESSAGE: line 22: Refused to set unsafe header "CONTENT-LENGTH"
-CONSOLE MESSAGE: line 25: Refused to set unsafe header "COOKIE"
-CONSOLE MESSAGE: line 26: Refused to set unsafe header "COOKIE2"
-CONSOLE MESSAGE: line 27: Refused to set unsafe header "DATE"
-CONSOLE MESSAGE: line 28: Refused to set unsafe header "DNT"
-CONSOLE MESSAGE: line 29: Refused to set unsafe header "EXPECT"
-CONSOLE MESSAGE: line 30: Refused to set unsafe header "HOST"
-CONSOLE MESSAGE: line 31: Refused to set unsafe header "KEEP-ALIVE"
-CONSOLE MESSAGE: line 32: Refused to set unsafe header "ORIGIN"
-CONSOLE MESSAGE: line 33: Refused to set unsafe header "REFERER"
-CONSOLE MESSAGE: line 34: Refused to set unsafe header "TE"
-CONSOLE MESSAGE: line 35: Refused to set unsafe header "TRAILER"
-CONSOLE MESSAGE: line 36: Refused to set unsafe header "TRANSFER-ENCODING"
-CONSOLE MESSAGE: line 37: Refused to set unsafe header "UPGRADE"
-CONSOLE MESSAGE: line 39: Refused to set unsafe header "VIA"
-CONSOLE MESSAGE: line 41: Refused to set unsafe header "Proxy-"
-CONSOLE MESSAGE: line 42: Refused to set unsafe header "Proxy-test"
-CONSOLE MESSAGE: line 43: Refused to set unsafe header "PROXY-FOO"
-CONSOLE MESSAGE: line 45: Refused to set unsafe header "Sec-"
-CONSOLE MESSAGE: line 46: Refused to set unsafe header "Sec-test"
-CONSOLE MESSAGE: line 47: Refused to set unsafe header "SEC-FOO"
+CONSOLE MESSAGE: line 23: Refused to set unsafe header "COOKIE"
+CONSOLE MESSAGE: line 24: Refused to set unsafe header "COOKIE2"
+CONSOLE MESSAGE: line 25: Refused to set unsafe header "DATE"
+CONSOLE MESSAGE: line 26: Refused to set unsafe header "DNT"
+CONSOLE MESSAGE: line 27: Refused to set unsafe header "EXPECT"
+CONSOLE MESSAGE: line 28: Refused to set unsafe header "HOST"
+CONSOLE MESSAGE: line 29: Refused to set unsafe header "KEEP-ALIVE"
+CONSOLE MESSAGE: line 30: Refused to set unsafe header "ORIGIN"
+CONSOLE MESSAGE: line 31: Refused to set unsafe header "REFERER"
+CONSOLE MESSAGE: line 32: Refused to set unsafe header "TE"
+CONSOLE MESSAGE: line 33: Refused to set unsafe header "TRAILER"
+CONSOLE MESSAGE: line 34: Refused to set unsafe header "TRANSFER-ENCODING"
+CONSOLE MESSAGE: line 35: Refused to set unsafe header "UPGRADE"
+CONSOLE MESSAGE: line 37: Refused to set unsafe header "VIA"
+CONSOLE MESSAGE: line 39: Refused to set unsafe header "Proxy-"
+CONSOLE MESSAGE: line 40: Refused to set unsafe header "Proxy-test"
+CONSOLE MESSAGE: line 41: Refused to set unsafe header "PROXY-FOO"
+CONSOLE MESSAGE: line 43: Refused to set unsafe header "Sec-"
+CONSOLE MESSAGE: line 44: Refused to set unsafe header "Sec-test"
+CONSOLE MESSAGE: line 45: Refused to set unsafe header "SEC-FOO"
Test that setRequestHeader cannot be used to alter security-sensitive headers.
SUCCESS
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers.html (222816 => 222817)
--- trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers.html 2017-10-03 23:08:27 UTC (rev 222816)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/set-dangerous-headers.html 2017-10-03 23:12:34 UTC (rev 222817)
@@ -33,7 +33,6 @@
req.setRequestHeader("TRAILER", "foobar");
req.setRequestHeader("TRANSFER-ENCODING", "foobar");
req.setRequestHeader("UPGRADE", "foobar");
- req.setRequestHeader("USER-AGENT", "foobar");
req.setRequestHeader("VIA", "foobar");
req.setRequestHeader("Proxy-", "foobar");
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (222816 => 222817)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2017-10-03 23:08:27 UTC (rev 222816)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2017-10-03 23:12:34 UTC (rev 222817)
@@ -1,3 +1,17 @@
+2017-10-03 Daniel Bates <daba...@apple.com>
+
+ XMLHttpRequest.setRequestHeader() should allow Content-Transfer-Encoding header; remove
+ duplicate logic to check for a forbidden XHR header field
+ https://bugs.webkit.org/show_bug.cgi?id=177829
+ <rdar://problem/34798441>
+
+ Update expected result now that we match the XHR standard, <https://xhr.spec.whatwg.org> (09/08/2017).
+
+ We no longer consider Content-Transfer-Encoding and User-Agent forbidden headers as per
+ the standard.
+
+ * web-platform-tests/XMLHttpRequest/setrequestheader-header-allowed-expected.txt:
+
2017-10-03 Ms2ger <ms2...@igalia.com>
Remove some duplicated canvas toDataURL tests.
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/setrequestheader-header-allowed-expected.txt (222816 => 222817)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/setrequestheader-header-allowed-expected.txt 2017-10-03 23:08:27 UTC (rev 222816)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/setrequestheader-header-allowed-expected.txt 2017-10-03 23:12:34 UTC (rev 222817)
@@ -1,12 +1,8 @@
-CONSOLE MESSAGE: line 16: Refused to set unsafe header "User-Agent"
-CONSOLE MESSAGE: line 17: Refused to set unsafe header "User-Agent"
-CONSOLE MESSAGE: line 16: Refused to set unsafe header "Content-Transfer-Encoding"
-CONSOLE MESSAGE: line 17: Refused to set unsafe header "Content-Transfer-Encoding"
PASS XMLHttpRequest: setRequestHeader() - headers that are allowed (Authorization)
PASS XMLHttpRequest: setRequestHeader() - headers that are allowed (Pragma)
FAIL XMLHttpRequest: setRequestHeader() - headers that are allowed (User-Agent) assert_equals: expected "User-Agent," but got ""
-FAIL XMLHttpRequest: setRequestHeader() - headers that are allowed (Content-Transfer-Encoding) assert_equals: expected "Content-Transfer-Encoding," but got ""
+PASS XMLHttpRequest: setRequestHeader() - headers that are allowed (Content-Transfer-Encoding)
PASS XMLHttpRequest: setRequestHeader() - headers that are allowed (Content-Type)
PASS XMLHttpRequest: setRequestHeader() - headers that are allowed (Overwrite)
PASS XMLHttpRequest: setRequestHeader() - headers that are allowed (If)