XMLHttpRequest open('trace', ...) throws a security error

Author: rbri

src/changes/changes.xml

@@ -8,6 +8,12 @@
 
     <body>
         <release version="5.0.0" date="April 01, 2026" description="jdk17, Bugfixes">
+            <action type="fix" dev="rbri">
+                XMLHttpRequest open('trace', ...) throws a security error.
+            </action>
+            <action type="update" dev="RhinoTeam">
+                The test suite now uses Jetty 12.1.
+            </action>
             <action type="update" dev="rbri">
                 INCOMPATIBLE CHANGE: Cookie moved from package 'org.htmlunit.util' to 'org.htmlunit.http'
             </action>

src/main/java/org/htmlunit/javascript/host/xml/XMLHttpRequest.java

@@ -680,8 +680,16 @@ public void open(final String method, final Object urlParam, final Object asyncP
             request.setDefaultResponseContentCharset(UTF_8);
             request.setRefererHeader(pageUrl);
 
+            final String methodUC = method.toUpperCase(Locale.ROOT);
+            if ("TRACE".equals(methodUC)) {
+                throw JavaScriptEngine.asJavaScriptException(
+                        getWindow(),
+                        "HTTP Method '" + method + "' not allowed.",
+                        DOMException.SECURITY_ERR);
+            }
+
             try {
-                request.setHttpMethod(HttpMethod.valueOf(method.toUpperCase(Locale.ROOT)));
+                request.setHttpMethod(HttpMethod.valueOf(methodUC));
             }
             catch (final IllegalArgumentException e) {
                 if (LOG.isInfoEnabled()) {