Source code
Revision control
Copy as Markdown
Other Tools
<!DOCTYPE HTML>
<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<title>Test for Cross Site XMLHttpRequest</title>
</head>
<body onload="initTest()">
<p id="display">
<iframe id=loader></iframe>
</p>
<div id="content" style="display: none">
</div>
<pre id="test">
<script class="testbody" type="application/javascript">
const runPreflightTests = 1;
const runCookieTests = 1;
const runRedirectTests = 1;
var gen;
function initTest() {
window.addEventListener("message", function(e) {
gen.next(e.data);
});
gen = runTest();
gen.next()
}
function initTestCallback() {
}
function* runTest() {
var loader = document.getElementById('loader');
var loaderWindow = loader.contentWindow;
loader.onload = function () { gen.next() };
// Test preflight-less requests
basePath = "/browser/dom/security/test/cors/file_CrossSiteXHR_server.sjs?"
// Test preflighted requests
yield undefined;
tests = [// Plain request
{ pass: 1,
method: "GET",
noAllowPreflight: 1,
},
// undefined username
{ pass: 1,
method: "GET",
noAllowPreflight: 1,
username: undefined
},
// undefined username and password
{ pass: 1,
method: "GET",
noAllowPreflight: 1,
username: undefined,
password: undefined
},
// nonempty username
{ pass: 0,
method: "GET",
noAllowPreflight: 1,
username: "user",
},
// nonempty password
// XXXbz this passes for now, because we ignore passwords
// without usernames in most cases.
{ pass: 1,
method: "GET",
noAllowPreflight: 1,
password: "password",
},
// Default allowed headers
{ pass: 1,
method: "GET",
headers: { "Content-Type": "text/plain",
"Accept": "foo/bar",
"Accept-Language": "sv-SE" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "GET",
headers: { "Content-Type": "foo/bar",
"Accept": "foo/bar",
"Accept-Language": "sv-SE" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "GET",
headers: { "Content-Type": "foo/bar, text/plain" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "GET",
headers: { "Content-Type": "foo/bar, text/plain, garbage" },
noAllowPreflight: 1,
},
// Custom headers
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue" },
allowHeaders: "x-my-header",
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue" },
allowHeaders: "X-My-Header",
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue",
"long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header": "secondValue" },
allowHeaders: "x-my-header, long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header",
},
{ pass: 1,
method: "GET",
headers: { "x-my%-header": "myValue" },
allowHeaders: "x-my%-header",
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "myValue" },
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "" },
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "myValue" },
allowHeaders: "",
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "myValue" },
allowHeaders: "y-my-header",
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "myValue" },
allowHeaders: "x-my-header y-my-header",
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "myValue" },
allowHeaders: "x-my-header, y-my-header z",
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "myValue" },
allowHeaders: "x-my-header, y-my-he(ader",
},
{ pass: 0,
method: "GET",
headers: { "myheader": "" },
allowMethods: "myheader",
},
{ pass: 1,
method: "GET",
headers: { "User-Agent": "myValue" },
allowHeaders: "User-Agent",
},
{ pass: 0,
method: "GET",
headers: { "User-Agent": "myValue" },
},
// Multiple custom headers
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue",
"second-header": "secondValue",
"third-header": "thirdValue" },
allowHeaders: "x-my-header, second-header, third-header",
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue",
"second-header": "secondValue",
"third-header": "thirdValue" },
allowHeaders: "x-my-header,second-header,third-header",
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue",
"second-header": "secondValue",
"third-header": "thirdValue" },
allowHeaders: "x-my-header ,second-header ,third-header",
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue",
"second-header": "secondValue",
"third-header": "thirdValue" },
allowHeaders: "x-my-header , second-header , third-header",
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue",
"second-header": "secondValue" },
allowHeaders: ", x-my-header, , ,, second-header, , ",
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "myValue",
"second-header": "secondValue" },
allowHeaders: "x-my-header, second-header, unused-header",
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "myValue",
"y-my-header": "secondValue" },
allowHeaders: "x-my-header",
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "",
"y-my-header": "" },
allowHeaders: "x-my-header",
},
// HEAD requests
{ pass: 1,
method: "HEAD",
noAllowPreflight: 1,
},
// HEAD with safe headers
{ pass: 1,
method: "HEAD",
headers: { "Content-Type": "text/plain",
"Accept": "foo/bar",
"Accept-Language": "sv-SE" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "HEAD",
headers: { "Content-Type": "foo/bar",
"Accept": "foo/bar",
"Accept-Language": "sv-SE" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "HEAD",
headers: { "Content-Type": "foo/bar, text/plain" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "HEAD",
headers: { "Content-Type": "foo/bar, text/plain, garbage" },
noAllowPreflight: 1,
},
// HEAD with custom headers
{ pass: 1,
method: "HEAD",
headers: { "x-my-header": "myValue" },
allowHeaders: "x-my-header",
},
{ pass: 0,
method: "HEAD",
headers: { "x-my-header": "myValue" },
},
{ pass: 0,
method: "HEAD",
headers: { "x-my-header": "myValue" },
allowHeaders: "",
},
{ pass: 0,
method: "HEAD",
headers: { "x-my-header": "myValue" },
allowHeaders: "y-my-header",
},
{ pass: 0,
method: "HEAD",
headers: { "x-my-header": "myValue" },
allowHeaders: "x-my-header y-my-header",
},
// POST tests
{ pass: 1,
method: "POST",
body: "hi there",
noAllowPreflight: 1,
},
{ pass: 1,
method: "POST",
},
{ pass: 1,
method: "POST",
noAllowPreflight: 1,
},
// POST with standard headers
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain" },
noAllowPreflight: 1,
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "multipart/form-data" },
noAllowPreflight: 1,
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "foo/bar" },
},
{ pass: 0,
method: "POST",
headers: { "Content-Type": "foo/bar" },
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"Accept": "foo/bar",
"Accept-Language": "sv-SE" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "foo/bar, text/plain" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "foo/bar, text/plain, garbage" },
noAllowPreflight: 1,
},
// POST with custom headers
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Accept": "foo/bar",
"Accept-Language": "sv-SE",
"x-my-header": "myValue" },
allowHeaders: "x-my-header",
},
{ pass: 1,
method: "POST",
headers: { "Content-Type": "text/plain",
"x-my-header": "myValue" },
allowHeaders: "x-my-header",
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"x-my-header": "myValue" },
allowHeaders: "x-my-header",
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "foo/bar",
"x-my-header": "myValue" },
allowHeaders: "x-my-header, content-type",
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "foo/bar" },
noAllowPreflight: 1,
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "foo/bar",
"x-my-header": "myValue" },
allowHeaders: "x-my-header",
},
{ pass: 1,
method: "POST",
headers: { "x-my-header": "myValue" },
allowHeaders: "x-my-header",
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "x-my-header": "myValue" },
allowHeaders: "x-my-header, $_%",
},
// Other methods
{ pass: 1,
method: "DELETE",
allowMethods: "DELETE",
},
{ pass: 0,
method: "DELETE",
allowHeaders: "DELETE",
},
{ pass: 0,
method: "DELETE",
},
{ pass: 0,
method: "DELETE",
allowMethods: "",
},
{ pass: 1,
method: "DELETE",
allowMethods: "POST, PUT, DELETE",
},
{ pass: 1,
method: "DELETE",
allowMethods: "POST, DELETE, PUT",
},
{ pass: 1,
method: "DELETE",
allowMethods: "DELETE, POST, PUT",
},
{ pass: 1,
method: "DELETE",
allowMethods: "POST ,PUT ,DELETE",
},
{ pass: 1,
method: "DELETE",
allowMethods: "POST,PUT,DELETE",
},
{ pass: 1,
method: "DELETE",
allowMethods: "POST , PUT , DELETE",
},
{ pass: 1,
method: "DELETE",
allowMethods: " ,, PUT ,, , , DELETE , ,",
},
{ pass: 0,
method: "DELETE",
allowMethods: "PUT",
},
{ pass: 0,
method: "DELETE",
allowMethods: "DELETEZ",
},
{ pass: 0,
method: "DELETE",
allowMethods: "DELETE PUT",
},
{ pass: 0,
method: "DELETE",
allowMethods: "DELETE, PUT Z",
},
{ pass: 0,
method: "DELETE",
allowMethods: "DELETE, PU(T",
},
{ pass: 0,
method: "DELETE",
allowMethods: "PUT DELETE",
},
{ pass: 0,
method: "DELETE",
allowMethods: "PUT Z, DELETE",
},
{ pass: 0,
method: "DELETE",
allowMethods: "PU(T, DELETE",
},
{ pass: 0,
method: "MYMETHOD",
allowMethods: "myMethod",
},
{ pass: 0,
method: "PUT",
allowMethods: "put",
},
// Progress events
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain" },
uploadProgress: "progress",
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain" },
uploadProgress: "progress",
noAllowPreflight: 1,
},
// Status messages
{ pass: 1,
method: "GET",
noAllowPreflight: 1,
status: 404,
statusMessage: "nothin' here",
},
{ pass: 1,
method: "GET",
noAllowPreflight: 1,
status: 401,
statusMessage: "no can do",
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "foo/bar" },
allowHeaders: "content-type",
status: 500,
statusMessage: "server boo",
},
{ pass: 1,
method: "GET",
noAllowPreflight: 1,
status: 200,
statusMessage: "Yes!!",
},
{ pass: 0,
method: "GET",
headers: { "x-my-header": "header value" },
allowHeaders: "x-my-header",
preflightStatus: 400
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "header value" },
allowHeaders: "x-my-header",
preflightStatus: 200
},
{ pass: 1,
method: "GET",
headers: { "x-my-header": "header value" },
allowHeaders: "x-my-header",
preflightStatus: 204
},
// exposed headers
{ pass: 1,
method: "GET",
responseHeaders: { "x-my-header": "x header" },
exposeHeaders: "x-my-header",
expectedResponseHeaders: ["x-my-header"],
},
{ pass: 0,
method: "GET",
responseHeaders: { "x-my-header": "x header" },
exposeHeaders: "x-my-header",
expectedResponseHeaders: [],
},
{ pass: 1,
method: "GET",
responseHeaders: { "x-my-header": "x header" },
expectedResponseHeaders: [],
},
{ pass: 1,
method: "GET",
responseHeaders: { "x-my-header": "x header" },
exposeHeaders: "x-my-header y",
expectedResponseHeaders: [],
},
{ pass: 1,
method: "GET",
responseHeaders: { "x-my-header": "x header" },
exposeHeaders: "y x-my-header",
expectedResponseHeaders: [],
},
{ pass: 1,
method: "GET",
responseHeaders: { "x-my-header": "x header" },
exposeHeaders: "x-my-header, y-my-header z",
expectedResponseHeaders: [],
},
{ pass: 1,
method: "GET",
responseHeaders: { "x-my-header": "x header" },
exposeHeaders: "x-my-header, y-my-hea(er",
expectedResponseHeaders: [],
},
{ pass: 1,
method: "GET",
responseHeaders: { "x-my-header": "x header",
"y-my-header": "y header" },
exposeHeaders: " , ,,y-my-header,z-my-header, ",
expectedResponseHeaders: ["y-my-header"],
},
{ pass: 1,
method: "GET",
responseHeaders: { "Cache-Control": "cacheControl header",
"Content-Language": "contentLanguage header",
"Expires":"expires header",
"Last-Modified":"lastModified header",
"Pragma":"pragma header",
"Unexpected":"unexpected header" },
expectedResponseHeaders: ["Cache-Control","Content-Language","Content-Type","Expires","Last-Modified","Pragma"],
},
// Check that sending a body in the OPTIONS response works
{ pass: 1,
method: "DELETE",
allowMethods: "DELETE",
preflightBody: "I'm a preflight response body",
},
];
if (!runPreflightTests) {
tests = [];
}
for (test of tests) {
var req = {
url: baseURL + "allowOrigin=" + escape(test.origin || origin),
method: test.method,
headers: test.headers,
uploadProgress: test.uploadProgress,
body: test.body,
responseHeaders: test.responseHeaders,
};
if (test.pass) {
req.url += "&origin=" + escape(origin) +
"&requestMethod=" + test.method;
}
if ("username" in test) {
req.username = test.username;
}
if ("password" in test) {
req.password = test.password;
}
if (test.noAllowPreflight)
req.url += "&noAllowPreflight";
if (test.pass && "headers" in test) {
function isUnsafeHeader(name) {
lName = name.toLowerCase();
return lName != "accept" &&
lName != "accept-language" &&
(lName != "content-type" ||
!["text/plain",
"multipart/form-data",
"application/x-www-form-urlencoded"]
.includes(test.headers[name].toLowerCase()));
}
req.url += "&headers=" + escape(JSON.stringify(test.headers));
reqHeaders =
escape(Object.keys(test.headers)
.filter(isUnsafeHeader)
.map(s => s.toLowerCase())
.sort()
.join(","));
req.url += reqHeaders ? "&requestHeaders=" + reqHeaders : "";
}
if ("allowHeaders" in test)
req.url += "&allowHeaders=" + escape(test.allowHeaders);
if ("allowMethods" in test)
req.url += "&allowMethods=" + escape(test.allowMethods);
if (test.body)
req.url += "&body=" + escape(test.body);
if (test.status) {
req.url += "&status=" + test.status;
req.url += "&statusMessage=" + escape(test.statusMessage);
}
if (test.preflightStatus)
req.url += "&preflightStatus=" + test.preflightStatus;
if (test.responseHeaders)
req.url += "&responseHeaders=" + escape(JSON.stringify(test.responseHeaders));
if (test.exposeHeaders)
req.url += "&exposeHeaders=" + escape(test.exposeHeaders);
if (test.preflightBody)
req.url += "&preflightBody=" + escape(test.preflightBody);
loaderWindow.postMessage(JSON.stringify(req), origin);
res = JSON.parse(yield);
}
// Test cookie behavior
tests = [{ pass: 1,
method: "GET",
withCred: 1,
allowCred: 1,
},
{ pass: 0,
method: "GET",
withCred: 1,
allowCred: 0,
},
{ pass: 0,
method: "GET",
withCred: 1,
allowCred: 1,
origin: "*",
},
{ pass: 1,
method: "GET",
withCred: 0,
allowCred: 1,
origin: "*",
},
{ pass: 1,
method: "GET",
setCookie: "a=1",
withCred: 1,
allowCred: 1,
},
{ pass: 1,
method: "GET",
cookie: "a=1",
withCred: 1,
allowCred: 1,
},
{ pass: 1,
method: "GET",
noCookie: 1,
withCred: 0,
allowCred: 1,
},
{ pass: 0,
method: "GET",
noCookie: 1,
withCred: 1,
allowCred: 1,
},
{ pass: 1,
method: "GET",
setCookie: "a=2",
withCred: 0,
allowCred: 1,
},
{ pass: 1,
method: "GET",
cookie: "a=1",
withCred: 1,
allowCred: 1,
},
{ pass: 1,
method: "GET",
setCookie: "a=2",
withCred: 1,
allowCred: 1,
},
{ pass: 1,
method: "GET",
cookie: "a=2",
withCred: 1,
allowCred: 1,
},
];
if (!runCookieTests) {
tests = [];
}
for (test of tests) {
req = {
url: baseURL + "allowOrigin=" + escape(test.origin || origin),
method: test.method,
headers: test.headers,
withCred: test.withCred,
};
if (test.allowCred)
req.url += "&allowCred";
if (test.setCookie)
req.url += "&setCookie=" + escape(test.setCookie);
if (test.cookie)
req.url += "&cookie=" + escape(test.cookie);
if (test.noCookie)
req.url += "&noCookie";
if ("allowHeaders" in test)
req.url += "&allowHeaders=" + escape(test.allowHeaders);
if ("allowMethods" in test)
req.url += "&allowMethods=" + escape(test.allowMethods);
loaderWindow.postMessage(JSON.stringify(req), origin);
res = JSON.parse(yield);
}
// Make sure to clear cookies to avoid affecting other tests
document.cookie = "a=; path=/; expires=Thu, 01-Jan-1970 00:00:01 GMT"
// Test redirects
tests = [{ pass: 1,
method: "GET",
allowOrigin: origin
},
],
},
{ pass: 0,
method: "GET",
allowOrigin: origin
},
allowOrigin: origin
},
],
},
{ pass: 1,
method: "GET",
allowOrigin: origin
},
allowOrigin: "*"
},
],
},
{ pass: 0,
method: "GET",
allowOrigin: origin
},
},
],
},
{ pass: 1,
method: "GET",
},
},
allowOrigin: origin
},
],
},
{ pass: 0,
method: "GET",
},
},
allowOrigin: origin
},
},
],
},
{ pass: 0,
method: "GET",
allowOrigin: origin
},
allowOrigin: origin
},
allowOrigin: origin
},
allowOrigin: origin
},
],
},
{ pass: 0,
method: "GET",
allowOrigin: origin
},
allowOrigin: origin
},
allowOrigin: "*"
},
allowOrigin: "*"
},
],
},
{ pass: 1,
method: "GET",
allowOrigin: origin
},
allowOrigin: "*"
},
allowOrigin: "*"
},
allowOrigin: "*"
},
],
},
{ pass: 0,
method: "GET",
allowOrigin: origin
},
allowOrigin: origin
},
allowOrigin: "x"
},
allowOrigin: origin
},
],
},
{ pass: 0,
method: "GET",
allowOrigin: origin
},
allowOrigin: origin
},
allowOrigin: "*"
},
allowOrigin: origin
},
],
},
{ pass: 0,
method: "GET",
allowOrigin: origin
},
allowOrigin: origin
},
allowOrigin: "*"
},
},
],
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain" },
},
allowOrigin: origin,
},
],
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"my-header": "myValue",
},
},
allowOrigin: origin,
allowHeaders: "my-header",
},
],
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"my-header": "myValue",
},
},
allowOrigin: origin,
allowHeaders: "my-header",
},
allowOrigin: origin,
allowHeaders: "my-header",
},
],
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"my-header": "myValue",
},
},
allowOrigin: origin,
allowHeaders: "my-header",
},
allowOrigin: origin,
allowHeaders: "my-header",
},
],
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"my-header": "myValue",
},
},
allowOrigin: origin,
allowHeaders: "my-header",
},
allowOrigin: origin,
allowHeaders: "my-header",
},
],
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"my-header": "myValue",
},
},
allowOrigin: origin,
noAllowPreflight: 1,
},
],
},
{ pass: 1,
method: "DELETE",
},
allowOrigin: origin,
allowMethods: "DELETE",
},
],
},
{ pass: 0,
method: "DELETE",
},
allowOrigin: origin,
allowMethods: "DELETE",
},
allowOrigin: origin,
allowMethods: "DELETE",
},
],
},
{ pass: 0,
method: "DELETE",
},
allowOrigin: origin,
allowMethods: "DELETE",
},
allowOrigin: origin,
allowMethods: "DELETE",
},
],
},
{ pass: 0,
method: "DELETE",
},
allowOrigin: origin,
allowMethods: "DELETE",
},
allowOrigin: origin,
allowMethods: "DELETE",
},
],
},
{ pass: 0,
method: "DELETE",
},
allowOrigin: origin,
allowMethods: "DELETE",
noAllowPreflight: 1,
},
],
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"my-header": "myValue",
},
allowOrigin: origin,
},
allowOrigin: origin,
},
],
},
{ pass: 0,
method: "DELETE",
allowOrigin: origin,
},
allowOrigin: origin,
},
],
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"my-header": "myValue",
},
},
allowOrigin: origin,
allowHeaders: "my-header",
},
],
},
{ pass: 1,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain" },
},
allowOrigin: origin,
},
],
},
{ pass: 0,
method: "POST",
body: "hi there",
headers: { "Content-Type": "text/plain",
"my-header": "myValue",
},
allowOrigin: origin,
allowHeaders: "my-header",
},
allowOrigin: origin,
allowHeaders: "my-header",
},
],
},
// test redirects with different credentials settings
{
// Initialize by setting a cookies for same- and cross- origins.
pass: 1,
method: "GET",
hops: [{ server: origin,
setCookie: escape("a=1"),
},
allowOrigin: origin,
allowCred: 1,
setCookie: escape("a=2"),
},
],
withCred: 1,
},
{ pass: 1,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
allowOrigin: origin,
noCookie: 1,
},
],
withCred: 0,
},
{ pass: 1,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
allowOrigin: origin,
allowCred: 1,
cookie: escape("a=2"),
},
],
withCred: 1,
},
// expected fail because allow-credentials CORS header is not set
{ pass: 0,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
allowOrigin: origin,
cookie: escape("a=2"),
},
],
withCred: 1,
},
{ pass: 1,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
allowOrigin: '*',
noCookie: 1,
},
],
withCred: 0,
},
{ pass: 0,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
allowOrigin: '*',
allowCred: 1,
cookie: escape("a=2"),
},
],
withCred: 1,
},
];
if (!runRedirectTests) {
tests = [];
}
for (test of tests) {
req = {
url: test.hops[0].server + basePath + "hop=1&hops=" +
escape(JSON.stringify(test.hops)),
method: test.method,
headers: test.headers,
body: test.body,
withCred: test.withCred,
};
if (test.pass) {
if (test.body)
req.url += "&body=" + escape(test.body);
}
loaderWindow.postMessage(JSON.stringify(req), origin);
res = JSON.parse(yield);
}
document.location.href += "#finished";
}
</script>
</pre>
</body>
</html>