src/third_party/web_platform_tests/cors/allow-headers.htm - cobalt - Git at Google

 <!DOCTYPE html>
 <meta charset=utf-8>
 <title>Access-Control-Allow-Headers handling</title>
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <script src=support.js?pipe=sub></script>

 <h1>Access-Control-Allow-Headers handling</h1>

 <div id=log></div>

 <script>

 /*
  * Origin header
  */
 function shouldPass(origin) {
     async_test(function () {
         var client = new XMLHttpRequest()
         client.open('GET', CROSSDOMAIN
                             + '/resources/cors-makeheader.py?origin='
                             + encodeURIComponent(origin),
                     true)
         client.onload = this.step_func(function(e){
             r = JSON.parse(client.response)
             var host = location.protocol + "//" + location.host
             assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
             this.done()
         })
         client.onerror = this.step_func(function(e){
             assert_unreached("should succeed")
         })
         client.send()
     }, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'));
 }

 shouldPass('*');
 shouldPass(' *  ');
 shouldPass('	*');
 shouldPass(location.protocol + "//" + location.host);
 shouldPass(" "+location.protocol + "//" + location.host);
 shouldPass(" "+location.protocol + "//" + location.host + "   	 ");
 shouldPass("	"+location.protocol + "//" + location.host);


 function shouldFail(origin) {
     async_test(function () {
         var client = new XMLHttpRequest()
         client.open('GET', CROSSDOMAIN
                             + '/resources/cors-makeheader.py?origin='
                             + encodeURIComponent(origin),
                     true)
         client.onerror = this.step_func(function(e){
             this.done()
         })
         client.onload = this.step_func(function(e){
             assert_unreached("should not succeed")
         })
         client.send()
     }, 'Disallow origin: ' + origin.replace('\0', '\\0'));
 }

 shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
 shouldFail("//" + location.host)
 shouldFail("://" + location.host)
 shouldFail("ftp://" + location.host)
 shouldFail("http:://" + location.host)
 shouldFail("http:/" + location.host)
 shouldFail("http:" + location.host)
 shouldFail(location.host)
 shouldFail(location.protocol + "//" + location.host + "?")
 shouldFail(location.protocol + "//" + location.host + "/")
 shouldFail(location.protocol + "//" + location.host + " /")
 shouldFail(location.protocol + "//" + location.host + "#")
 shouldFail(location.protocol + "//" + location.host + "%23")
 shouldFail(location.protocol + "//" + location.host + ":80")
 shouldFail(location.protocol + "//" + location.host + ", *")
     // The following four disabled tests assume appending null
     // pointers make difference to the origin. But the HTTPResponse-
     // -Header in net/ uses \0 as the delimiter to parse raw response
     // headers so we can not tell the difference.
     // TODO: Try enable these tests when Cobalt XMLHttpRequest
     // does not depend on Chromium::net.
 // shouldFail(location.protocol + "//" + location.host + "\0")
 shouldFail((location.protocol + "//" + location.host).toUpperCase())
 shouldFail(location.protocol.toUpperCase() + "//" + location.host)
 shouldFail("-")
 shouldFail("**")
 // shouldFail("\0*")
 // shouldFail("*\0")
 shouldFail("'*'")
 shouldFail('"*"')
 shouldFail("* *")
 shouldFail("*" + location.protocol + "//" + "*")
 shouldFail("*" + location.protocol + "//" + location.host)
 shouldFail("* " + location.protocol + "//" + location.host)
 shouldFail("*, " + location.protocol + "//" + location.host)
 // shouldFail("\0" + location.protocol + "//" + location.host)
 shouldFail("null " + location.protocol + "//" + location.host)
 shouldFail('http://example.net')
 shouldFail('null')
 shouldFail('')
 shouldFail(location.href)
 shouldFail(dirname(location.href))
 shouldFail(CROSSDOMAIN)

 </script>
	<!DOCTYPE html>
	<meta charset=utf-8>
	<title>Access-Control-Allow-Headers handling</title>
	<script src=/resources/testharness.js></script>
	<script src=/resources/testharnessreport.js></script>
	<script src=support.js?pipe=sub></script>

	<h1>Access-Control-Allow-Headers handling</h1>

	<div id=log></div>

	<script>

	/*
	* Origin header
	*/
	function shouldPass(origin) {
	async_test(function () {
	var client = new XMLHttpRequest()
	client.open('GET', CROSSDOMAIN
	+ '/resources/cors-makeheader.py?origin='
	+ encodeURIComponent(origin),
	true)
	client.onload = this.step_func(function(e){
	r = JSON.parse(client.response)
	var host = location.protocol + "//" + location.host
	assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
	this.done()
	})
	client.onerror = this.step_func(function(e){
	assert_unreached("should succeed")
	})
	client.send()
	}, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'));
	}

	shouldPass('*');
	shouldPass(' * ');
	shouldPass(' *');
	shouldPass(location.protocol + "//" + location.host);
	shouldPass(" "+location.protocol + "//" + location.host);
	shouldPass(" "+location.protocol + "//" + location.host + " ");
	shouldPass(" "+location.protocol + "//" + location.host);


	function shouldFail(origin) {
	async_test(function () {
	var client = new XMLHttpRequest()
	client.open('GET', CROSSDOMAIN
	+ '/resources/cors-makeheader.py?origin='
	+ encodeURIComponent(origin),
	true)
	client.onerror = this.step_func(function(e){
	this.done()
	})
	client.onload = this.step_func(function(e){
	assert_unreached("should not succeed")
	})
	client.send()
	}, 'Disallow origin: ' + origin.replace('\0', '\\0'));
	}

	shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
	shouldFail("//" + location.host)
	shouldFail("://" + location.host)
	shouldFail("ftp://" + location.host)
	shouldFail("http:://" + location.host)
	shouldFail("http:/" + location.host)
	shouldFail("http:" + location.host)
	shouldFail(location.host)
	shouldFail(location.protocol + "//" + location.host + "?")
	shouldFail(location.protocol + "//" + location.host + "/")
	shouldFail(location.protocol + "//" + location.host + " /")
	shouldFail(location.protocol + "//" + location.host + "#")
	shouldFail(location.protocol + "//" + location.host + "%23")
	shouldFail(location.protocol + "//" + location.host + ":80")
	shouldFail(location.protocol + "//" + location.host + ", *")
	// The following four disabled tests assume appending null
	// pointers make difference to the origin. But the HTTPResponse-
	// -Header in net/ uses \0 as the delimiter to parse raw response
	// headers so we can not tell the difference.
	// TODO: Try enable these tests when Cobalt XMLHttpRequest
	// does not depend on Chromium::net.
	// shouldFail(location.protocol + "//" + location.host + "\0")
	shouldFail((location.protocol + "//" + location.host).toUpperCase())
	shouldFail(location.protocol.toUpperCase() + "//" + location.host)
	shouldFail("-")
	shouldFail("**")
	// shouldFail("\0*")
	// shouldFail("*\0")
	shouldFail("'*'")
	shouldFail('"*"')
	shouldFail("* *")
	shouldFail("" + location.protocol + "//" + "")
	shouldFail("*" + location.protocol + "//" + location.host)
	shouldFail("* " + location.protocol + "//" + location.host)
	shouldFail("*, " + location.protocol + "//" + location.host)
	// shouldFail("\0" + location.protocol + "//" + location.host)
	shouldFail("null " + location.protocol + "//" + location.host)
	shouldFail('http://example.net')
	shouldFail('null')
	shouldFail('')
	shouldFail(location.href)
	shouldFail(dirname(location.href))
	shouldFail(CROSSDOMAIN)

	</script>