Handler on Duty: Johannes Ullrich
Threat Level: green
advertisement
This page tests various features of XMLHttpRequest to check if your browser is compliant with the latest draft standard. This page will only make sense if Javascript is not blocked.
We also test some cookie protections. The page will set three cookies:
- "Normal"
- "org" (domain of this cookie is set to .org)
- "incidents" (domain of this cookie is set to incidents.org)
The value will change with each reload to make it easier to detect changes. The value is just a unix timestamp.
| Cookie Name | Cookie Value |
|---|
| Feature | Result Click on the word "fail" to see headers |
|---|---|
| Simple request to make sure it is working at all | |
| Testing Same Origin Policy ("failed" is good here! Script is loaded form iscnx.sans.org) | |
| Setting X-MyHeader (should work) | |
| Setting Cookie (should work) | |
| According to the W3C standard, everything below this line should fail | |
| Setting forbidden header Accept-Charset | |
| Setting forbidden header Accept-Encoding | |
| Setting forbidden header Content-Length | |
| Setting forbidden header Expect | |
| Setting forbidden header Date | |
| Setting forbidden header Host | |
| Setting forbidden header Keep-Alive | |
| Setting forbidden header Referer | |
| Setting forbidden header TE | |
| Setting forbidden header Transfer-Encoding | |
| Setting forbidden header Upgrade | |
| Setting forbidden header Connection | |
| Setting forbidden header Content-Transfer-Encoding | |
| Setting forbidden header Via | |
| Setting forbidden header Range | |
| Setting forbidden header Origin | |
| Setting forbidden method POST | |
| Setting forbidden method PUT | |
| Setting forbidden method DELETE | |
| Setting forbidden method BOGUS | |
