| <!doctype html> |
| <html> |
| <head> |
| <title>XMLHttpRequest: send() - "Basic" authenticated requests with competing user name/password options</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/common/utils.js"></script> |
| <link rel="help" href="https://xhr.spec.whatwg.org/#the-open()-method" data-tested-assertations="following::ol[1]/li[9]/ol[1]/li[1] following::ol[1]/li[9]/ol[1]/li[2]" /> |
| <link rel="help" href="https://xhr.spec.whatwg.org/#the-send()-method" data-tested-assertations="following::code[contains(@title,'http-authorization')]/.." /> </head> |
| <body> |
| <div id="log"></div> |
| <script> |
| function request(user1, pass1, user2, pass2, name) { |
| // user1, pass1 will if given become userinfo part of URL |
| // user2, pass2 will if given be passed to open() call |
| test(function() { |
| var client = new XMLHttpRequest(), |
| urlstart = "", userwin, passwin |
| // if user2 is set, winning user name and password is 2 |
| if(user2) |
| userwin = user2, passwin = pass2 |
| // if user1 is set, and user2 is not set, user1 and pass1 win |
| if(user1 && ! user2) |
| userwin = user1, passwin = pass1 |
| // if neither user name is set, pass 2 wins (there will be no userinfo in URL) |
| if (!(user1 || user2)) |
| passwin = pass2 |
| if(user1) { // should add userinfo to URL (there is no way to create userinfo part of URL with only password in) |
| urlstart = "http://" + user1 |
| if(pass1) |
| urlstart += ":" + pass1 |
| urlstart += "@" + location.host + location.pathname.replace(/\/[^\/]*$/, '/') |
| } |
| client.open("GET", urlstart + "resources/authentication.py", false, user2, pass2) |
| client.setRequestHeader("x-user", userwin) |
| client.send(null) |
| assert_true(client.responseText == ((userwin||'') + "\n" + (passwin||'')), 'responseText should contain the right user and password') |
| |
| // We want to send multiple requests to the same realm here, so we try to make the UA forget its (cached) credentials between each test.. |
| // forcing a 401 response to (hopefully) "log out" |
| // NOTE: This is commented out because it causes authentication prompts while running the test |
| //client.open('GET', "resources/authentication.py?logout=1", false) |
| //client.send() |
| }, document.title+' '+name) |
| } |
| request(null, null, token(), token(), 'user/pass in open() call') |
| request(null, null, token(), token(), 'another user/pass in open() call - must override cached credentials from previous test') |
| request("userinfo-user", "userinfo-pass", token(), token(), 'user/pass both in URL userinfo AND open() call - expexted that open() wins') |
| request(token(), token(), null, null, 'user/pass *only* in URL userinfo') |
| request(token(), null, null, token(), 'user name in URL userinfo, password in open() call: user name wins and password is thrown away') |
| request("1", token(), token(), null, 'user name and password in URL userinfo, only user name in open() call: user name in open() wins') |
| </script> |
| </body> |
| </html> |