XMLHttpRequest: make various header tests much more strict #5008

annevk · 2017-02-24T11:13:55Z

Fixes #2612 and fixes #4377.

Also fixes part of #4641.

Fixes #2612 and fixes #4377. Also fixes part of #4641.

wpt-pr-bot · 2017-02-24T11:13:56Z

Notifying @Manishearth, @Ms2ger, @caitp, @emilio, @hallvors, @ibelem, @jdm, @jungkees, @kangxu, @mathiasbynens, @ronkorving, and @wisniewskit. (Learn how reviewing works.)

w3c-bots · 2017-02-24T11:22:59Z

View the complete job log.

Firefox (nightly channel)

Testing web-platform-tests at revision b1b5fa4ceefbbf87a8eb27b335cb265218ff50f2
Using browser at version BuildID 20170306110339; SourceStamp 966464a68a2cb3ca1125808e34abb5c1d34e3797
Starting 10 test iterations
All results were stable

All results

12 tests ran

/XMLHttpRequest/anonymous-mode-unsupported.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: anonymous mode unsupported`	PASS

/XMLHttpRequest/open-after-setrequestheader.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: open() after setRequestHeader()`	PASS

/XMLHttpRequest/open-referer.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: open() - value of Referer header`	PASS

/XMLHttpRequest/preserve-ua-header-on-redirect.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: User-Agent header is preserved on redirect`	PASS
`XMLHttpRequest: User-Agent header is preserved on redirect 1`	PASS

/XMLHttpRequest/send-accept-language.htm

Subtest	Results	Messages
	OK
`Send "sensible" default value, whatever that means`	PASS
`XMLHttpRequest: send() - Accept-Language`	PASS

/XMLHttpRequest/setrequestheader-allow-empty-value.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - empty header ()`	PASS
`XMLHttpRequest: setRequestHeader() - empty header (null)`	PASS
`XMLHttpRequest: setRequestHeader() - empty header (undefined)`	PASS

/XMLHttpRequest/setrequestheader-allow-whitespace-in-value.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - header value with whitespace ( )`	PASS
`XMLHttpRequest: setRequestHeader() - header value with whitespace ( t)`	PASS
`XMLHttpRequest: setRequestHeader() - header value with whitespace (t )`	PASS
`XMLHttpRequest: setRequestHeader() - header value with whitespace ( t )`	PASS

/XMLHttpRequest/setrequestheader-case-insensitive.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - headers that differ in case`	PASS

/XMLHttpRequest/setrequestheader-content-type.htm

Subtest	Results	Messages
	OK
`setRequestHeader("") sends a blank string`	PASS
`setRequestHeader(" ") sends the string " "`	PASS
`setRequestHeader(null) sends the string "null"`	PASS
`setRequestHeader(undefined) sends the string "undefined"`	PASS
`String request has correct default Content-Type of "text/plain;charset=UTF-8"`	PASS
`String request keeps setRequestHeader() Content-Type, with charset adjusted to UTF-8`	PASS
`XML Document request respects setRequestHeader("")`	PASS
`XML Document request has correct default Content-Type of "application/xml;charset=UTF-8"`	PASS
`XML Document request keeps setRequestHeader() Content-Type, with charset adjusted to UTF-8`	PASS
`HTML Document request respects setRequestHeader("")`	PASS
`HTML Document request has correct default Content-Type of "text/html;charset=UTF-8"`	PASS
`HTML Document request keeps setRequestHeader() Content-Type, with charset adjusted to UTF-8`	PASS
`Blob request respects setRequestHeader("") to be specified`	PASS
`Blob request with unset type sends no Content-Type without setRequestHeader() call`	PASS
`Blob request with unset type keeps setRequestHeader() Content-Type and charset`	PASS
`Blob request with set type uses that it for Content-Type unless setRequestHeader()`	PASS
`Blob request with set type keeps setRequestHeader() Content-Type and charset`	PASS
`ArrayBuffer request respects setRequestHeader("")`	PASS
`ArrayBuffer request sends no Content-Type without setRequestHeader() call`	PASS
`ArrayBuffer request keeps setRequestHeader() Content-Type and charset`	PASS
`ArrayBufferView request respects setRequestHeader("")`	PASS
`ArrayBufferView request sends no Content-Type without setRequestHeader() call`	PASS
`ArrayBufferView request keeps setRequestHeader() Content-Type and charset`	PASS
`FormData request respects setRequestHeader("")`	PASS
`FormData request has correct default Content-Type of "multipart/form-data; boundary=_"`	PASS
`FormData request keeps setRequestHeader() Content-Type and charset`	PASS
`URLSearchParams respects setRequestHeader("")`	PASS
`URLSearchParams request has correct default Content-Type of "application/x-www-form-urlencoded;charset=UTF-8"`	PASS
`URLSearchParams request keeps setRequestHeader() Content-Type, with charset adjusted to UTF-8`	PASS
`ReadableStream request respects setRequestHeader("")`	FAIL	`ReadableStream is not defined`
`ReadableStream request with under type sends no Content-Type without setRequestHeader() call`	FAIL	`ReadableStream is not defined`
`ReadableStream request keeps setRequestHeader() Content-Type and charset`	FAIL	`ReadableStream is not defined`

/XMLHttpRequest/setrequestheader-header-allowed.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Authorization)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Pragma)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (User-Agent)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Content-Transfer-Encoding)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Content-Type)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Overwrite)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (If)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Status-URI)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (X-Pink-Unicorn)`	PASS

/XMLHttpRequest/setrequestheader-header-forbidden.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - headers that are forbidden`	PASS

/XMLHttpRequest/setrequestheader-open-setrequestheader.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() and open()`	PASS

w3c-bots · 2017-02-24T11:23:00Z

View the complete job log.

Chrome (unstable channel)

Testing web-platform-tests at revision b1b5fa4ceefbbf87a8eb27b335cb265218ff50f2
Using browser at version 58.0.3026.3 dev
Starting 10 test iterations
All results were stable

All results

12 tests ran

/XMLHttpRequest/anonymous-mode-unsupported.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: anonymous mode unsupported`	PASS

/XMLHttpRequest/open-after-setrequestheader.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: open() after setRequestHeader()`	PASS

/XMLHttpRequest/open-referer.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: open() - value of Referer header`	PASS

/XMLHttpRequest/preserve-ua-header-on-redirect.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: User-Agent header is preserved on redirect`	PASS
`XMLHttpRequest: User-Agent header is preserved on redirect 1`	FAIL	`assert_equals: expected "User-Agent: TEST\n" but got "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3026.3 Safari/537.36\n"`

/XMLHttpRequest/send-accept-language.htm

Subtest	Results	Messages
	OK
`Send "sensible" default value, whatever that means`	PASS
`XMLHttpRequest: send() - Accept-Language`	PASS

/XMLHttpRequest/setrequestheader-allow-empty-value.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - empty header ()`	FAIL	`assert_equals: expected "X-Empty: \n" but got "Syntax error: no colon and space: X-Empty:"`
`XMLHttpRequest: setRequestHeader() - empty header (null)`	PASS
`XMLHttpRequest: setRequestHeader() - empty header (undefined)`	PASS

/XMLHttpRequest/setrequestheader-allow-whitespace-in-value.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - header value with whitespace ( )`	FAIL	`assert_equals: expected "X-Empty: \n" but got "Syntax error: no colon and space: X-Empty:"`
`XMLHttpRequest: setRequestHeader() - header value with whitespace ( t)`	PASS
`XMLHttpRequest: setRequestHeader() - header value with whitespace (t )`	PASS
`XMLHttpRequest: setRequestHeader() - header value with whitespace ( t )`	PASS

/XMLHttpRequest/setrequestheader-case-insensitive.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - headers that differ in case`	PASS

/XMLHttpRequest/setrequestheader-content-type.htm

Subtest	Results	Messages
	OK
`setRequestHeader("") sends a blank string`	FAIL	`assert_equals: expected "Content-Type: \n" but got "Content-Type: , text/plain;charset=UTF-8\n"`
`setRequestHeader(" ") sends the string " "`	FAIL	`assert_equals: expected "Content-Type: \n" but got "Syntax error: no colon and space: Content-Type:"`
`setRequestHeader(null) sends the string "null"`	PASS
`setRequestHeader(undefined) sends the string "undefined"`	PASS
`String request has correct default Content-Type of "text/plain;charset=UTF-8"`	PASS
`String request keeps setRequestHeader() Content-Type, with charset adjusted to UTF-8`	PASS
`XML Document request respects setRequestHeader("")`	FAIL	`assert_equals: expected "Content-Type: \n" but got "Content-Type: , application/xml;charset=UTF-8\n"`
`XML Document request has correct default Content-Type of "application/xml;charset=UTF-8"`	PASS
`XML Document request keeps setRequestHeader() Content-Type, with charset adjusted to UTF-8`	FAIL	`assert_equals: expected "Content-Type: application/xhtml+xml;charset=UTF-8\n" but got "Content-Type: application/xhtml+xml;charset=ASCII\n"`
`HTML Document request respects setRequestHeader("")`	FAIL	`assert_equals: expected "Content-Type: \n" but got "Content-Type: , application/xml;charset=UTF-8\n"`
`HTML Document request has correct default Content-Type of "text/html;charset=UTF-8"`	FAIL	`assert_equals: expected "Content-Type: text/html;charset=UTF-8\n" but got "Content-Type: application/xml;charset=UTF-8\n"`
`HTML Document request keeps setRequestHeader() Content-Type, with charset adjusted to UTF-8`	FAIL	`assert_equals: expected "Content-Type: text/html+junk;charset=UTF-8\n" but got "Content-Type: text/html+junk;charset=ASCII\n"`
`Blob request respects setRequestHeader("") to be specified`	FAIL	`assert_equals: expected "Content-Type: \n" but got "Syntax error: no colon and space: Content-Type:"`
`Blob request with unset type sends no Content-Type without setRequestHeader() call`	PASS
`Blob request with unset type keeps setRequestHeader() Content-Type and charset`	PASS
`Blob request with set type uses that it for Content-Type unless setRequestHeader()`	PASS
`Blob request with set type keeps setRequestHeader() Content-Type and charset`	PASS
`ArrayBuffer request respects setRequestHeader("")`	FAIL	`assert_equals: expected "Content-Type: \n" but got "Syntax error: no colon and space: Content-Type:"`
`ArrayBuffer request sends no Content-Type without setRequestHeader() call`	PASS
`ArrayBuffer request keeps setRequestHeader() Content-Type and charset`	PASS
`ArrayBufferView request respects setRequestHeader("")`	FAIL	`assert_equals: expected "Content-Type: \n" but got "Syntax error: no colon and space: Content-Type:"`
`ArrayBufferView request sends no Content-Type without setRequestHeader() call`	PASS
`ArrayBufferView request keeps setRequestHeader() Content-Type and charset`	PASS
`FormData request respects setRequestHeader("")`	FAIL	assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundaryRtVzd0lM45x9HHr3\n";assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundaryUBoDQdSdjkWArbVR\n";assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundaryv8T2TaozKU5U5clt\n";assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundaryW8dvYYBY8b0ELaN7\n";assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundaryzawMzRfFBqU88BBo\n";assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundaryPNzB5Bg6R21S6wlO\n";assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundaryLyutA8ogvNCqFTBb\n";assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundarynMM9gGzIQSdhglFL\n";assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundaryO60PsukHkOpr0HPA\n";assert_equals: expected "Content-Type: \n" but got "Content-Type: , multipart/form-data; boundary=----WebKitFormBoundaryRocEmQEF5CQxgUFA\n"
`FormData request has correct default Content-Type of "multipart/form-data; boundary=_"`	PASS
`FormData request keeps setRequestHeader() Content-Type and charset`	PASS
`URLSearchParams respects setRequestHeader("")`	FAIL	`assert_equals: expected "Content-Type: \n" but got "Content-Type: , text/plain;charset=UTF-8\n"`
`URLSearchParams request has correct default Content-Type of "application/x-www-form-urlencoded;charset=UTF-8"`	FAIL	`assert_equals: expected "Content-Type: application/x-www-form-urlencoded;charset=UTF-8\n" but got "Content-Type: text/plain;charset=UTF-8\n"`
`URLSearchParams request keeps setRequestHeader() Content-Type, with charset adjusted to UTF-8`	PASS
`ReadableStream request respects setRequestHeader("")`	FAIL	`assert_equals: expected "Content-Type: \n" but got "Content-Type: , text/plain;charset=UTF-8\n"`
`ReadableStream request with under type sends no Content-Type without setRequestHeader() call`	FAIL	`assert_equals: expected "" but got "Content-Type: text/plain;charset=UTF-8\n"`
`ReadableStream request keeps setRequestHeader() Content-Type and charset`	FAIL	`assert_equals: expected "Content-Type: application/xml;charset=ASCII\n" but got "Content-Type: application/xml;charset=UTF-8\n"`

/XMLHttpRequest/setrequestheader-header-allowed.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Authorization)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Pragma)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (User-Agent)`	FAIL	`assert_equals: expected "User-Agent," but got ""`
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Content-Transfer-Encoding)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Content-Type)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Overwrite)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (If)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (Status-URI)`	PASS
`XMLHttpRequest: setRequestHeader() - headers that are allowed (X-Pink-Unicorn)`	PASS

/XMLHttpRequest/setrequestheader-header-forbidden.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() - headers that are forbidden`	PASS

/XMLHttpRequest/setrequestheader-open-setrequestheader.htm

Subtest	Results	Messages
	OK
`XMLHttpRequest: setRequestHeader() and open()`	PASS

domenic · 2017-03-06T20:18:34Z

XMLHttpRequest/setrequestheader-allow-whitespace-in-value.htm

@@ -15,7 +15,7 @@
          client.open("POST", "resources/inspect-headers.py?filter_name=X-Empty", false)
          client.setRequestHeader('X-Empty', value)
          client.send(null)
-          assert_equals(client.responseText, 'x-empty: '+ String(value.trim()).toLowerCase()+'\n' )
+          assert_equals(client.responseText, 'X-Empty: ' + String(value.trim()) + '\n' )


Nit: don't need the String() here anymore

Unfortunately as established in whatwg/xhr#108 setRequestHeader() uses `, ` whereas fetch() uses `,` as value separator. This introduces a legacySpaceFlag for combine that XMLHttpRequest and WebSocket can use. New code and CORS (in Access-Control-Request-Headers) can continue not passing this flag. Tests were fixed in web-platform-tests/wpt#5008.

In particular, setRequestHeader() should use 0x2C 0x20 as separator (not just 0x2C) and get(All)ResponseHeader(s)() should do so too. The latter also always needs to end in 0x0D 0x0A rather than omitting it at the end. This depends on whatwg/fetch#504 landing first. Tests: web-platform-tests/wpt#4641 and web-platform-tests/wpt#5008. Fixes #108 and fixes #109.

In particular, setRequestHeader() should use 0x2C 0x20 as separator (not just 0x2C) and get(All)ResponseHeader(s)() should do so too. The latter also always needs to end in 0x0D 0x0A rather than omitting it at the end. This depends on whatwg/fetch#504 landing first. Tests: web-platform-tests/wpt#4641, web-platform-tests/wpt#5008, and web-platform-tests/wpt#5115. Fixes #108 and fixes #109.

XMLHttpRequest: make various header tests much more strict

92448b7

Fixes #2612 and fixes #4377. Also fixes part of #4641.

wpt-pr-bot added the xhr label Feb 24, 2017

annevk requested a review from domenic March 6, 2017 12:38

domenic approved these changes Mar 6, 2017

View reviewed changes

remove String() call

3dc2e9e

annevk merged commit c281242 into master Mar 7, 2017

annevk deleted the annevk/xhr-stricter branch March 7, 2017 09:00

annevk mentioned this pull request Mar 7, 2017

Make combine work for XMLHttpRequest and WebSocket whatwg/fetch#501

Closed

annevk mentioned this pull request Mar 10, 2017

Align header handling with Fetch whatwg/xhr#130

Merged

Zirro mentioned this pull request May 14, 2017

Update web platform tests jsdom/jsdom#1845

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XMLHttpRequest: make various header tests much more strict #5008

XMLHttpRequest: make various header tests much more strict #5008

annevk commented Feb 24, 2017

wpt-pr-bot commented Feb 24, 2017

w3c-bots commented Feb 24, 2017 •

edited

w3c-bots commented Feb 24, 2017 •

edited

domenic Mar 6, 2017

XMLHttpRequest: make various header tests much more strict #5008

XMLHttpRequest: make various header tests much more strict #5008

Conversation

annevk commented Feb 24, 2017

wpt-pr-bot commented Feb 24, 2017

w3c-bots commented Feb 24, 2017 • edited

Firefox (nightly channel)

All results

w3c-bots commented Feb 24, 2017 • edited

Chrome (unstable channel)

All results

domenic Mar 6, 2017

Choose a reason for hiding this comment

w3c-bots commented Feb 24, 2017 •

edited

w3c-bots commented Feb 24, 2017 •

edited