| <!doctype html> |
| <html> |
| <head> |
| <title>XMLHttpRequest: send() - "Basic" authenticated CORS request using setRequestHeader() but not setting withCredentials (expects to succeed)</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/common/utils.js"></script> |
| <!-- These spec references do not make much sense simply because the spec doesn't say very much about this.. --> |
| <link rel="help" href="https://xhr.spec.whatwg.org/#the-setrequestheader()-method" data-tested-assertations="following::ol[1]/li[6]" /> |
| <link rel="help" href="https://xhr.spec.whatwg.org/#the-send()-method" data-tested-assertations="following::code[contains(@title,'http-authorization')]/.." /> |
| </head> |
| <body> |
| <div id="log"></div> |
| <script> |
| function doTest(desc, pathsuffix, conditionsFunc, errorFunc, endFunc) { |
| var test = async_test(desc) |
| test.step(function() { |
| var client = new XMLHttpRequest(), |
| urlstart = location.host + location.pathname.replace(/\/[^\/]*$/, '/'), |
| user = token() |
| client.open("GET", location.protocol + "//www1." + urlstart + "resources/" + pathsuffix, false) |
| client.setRequestHeader("x-user", user) |
| client.setRequestHeader("x-pass", 'pass') |
| client.setRequestHeader("Authorization", "Basic " + btoa(user + ":pass")) |
| client.onerror = test.step_func(errorFunc) |
| client.onreadystatechange = test.step_func(function () { |
| if(client.readyState < 4) {return} |
| conditionsFunc(client, test, user) |
| }) |
| if(endFunc) { |
| client.onloadend = test.step_func(endFunc) |
| } |
| client.send(null) |
| }) |
| } |
| |
| doTest("CORS request with setRequestHeader auth to URL accepting Authorization header", "auth7/corsenabled.py", function (client, test, user) { |
| assert_true(client.responseText == (user + "\npass"), "responseText should contain the right user and password") |
| assert_equals(client.status, 200) |
| assert_equals(client.getResponseHeader("x-challenge"), "DID-NOT") |
| test.done() |
| }, function(){ |
| assert_unreached("Cross-domain request is permitted and should not cause an error") |
| this.done() |
| }) |
| |
| var errorFired = false; |
| doTest("CORS request with setRequestHeader auth to URL NOT accepting Authorization header", "auth8/corsenabled-no-authorize.py", function (client, test, user) { |
| assert_equals(client.responseText, '') |
| assert_equals(client.status, 0) |
| }, function(e){ |
| errorFired = true |
| assert_equals(e.type, 'error', 'Error event fires when Authorize is a user-set header but not allowed by the CORS endpoint') |
| }, function() { |
| assert_true(errorFired, 'The error event should fire') |
| this.done() |
| }) |
| |
| </script> |
| </body> |
| </html> |