| <!DOCTYPE html> |
| <meta charset=utf-8> |
| <title>Access-Control-Allow-Headers handling</title> |
| <script src=/resources/testharness.js></script> |
| <script src=/resources/testharnessreport.js></script> |
| <script src=support.js?pipe=sub></script> |
| |
| <h1>Access-Control-Allow-Headers handling</h1> |
| |
| <div id=log></div> |
| |
| <script> |
| |
| /* |
| * Origin header |
| */ |
| function shouldPass(origin) { |
| async_test(function () { |
| var client = new XMLHttpRequest() |
| client.open('GET', CROSSDOMAIN |
| + '/resources/cors-makeheader.py?origin=' |
| + encodeURIComponent(origin), |
| true) |
| client.onload = this.step_func(function(e){ |
| r = JSON.parse(client.response) |
| var host = location.protocol + "//" + location.host |
| assert_equals(r['origin'], host, 'Request Origin: should be ' + host) |
| this.done() |
| }) |
| client.onerror = this.step_func(function(e){ |
| assert_unreached("should succeed") |
| }) |
| client.send() |
| }, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_')); |
| } |
| |
| shouldPass('*'); |
| shouldPass(' * '); |
| shouldPass(' *'); |
| shouldPass(location.protocol + "//" + location.host); |
| shouldPass(" "+location.protocol + "//" + location.host); |
| shouldPass(" "+location.protocol + "//" + location.host + " "); |
| shouldPass(" "+location.protocol + "//" + location.host); |
| |
| |
| function shouldFail(origin) { |
| async_test(function () { |
| var client = new XMLHttpRequest() |
| client.open('GET', CROSSDOMAIN |
| + '/resources/cors-makeheader.py?origin=' |
| + encodeURIComponent(origin), |
| true) |
| client.onerror = this.step_func(function(e){ |
| this.done() |
| }) |
| client.onload = this.step_func(function(e){ |
| assert_unreached("should not succeed") |
| }) |
| client.send() |
| }, 'Disallow origin: ' + origin.replace('\0', '\\0')); |
| } |
| |
| shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host) |
| shouldFail("//" + location.host) |
| shouldFail("://" + location.host) |
| shouldFail("ftp://" + location.host) |
| shouldFail("http:://" + location.host) |
| shouldFail("http:/" + location.host) |
| shouldFail("http:" + location.host) |
| shouldFail(location.host) |
| shouldFail(location.protocol + "//" + location.host + "?") |
| shouldFail(location.protocol + "//" + location.host + "/") |
| shouldFail(location.protocol + "//" + location.host + " /") |
| shouldFail(location.protocol + "//" + location.host + "#") |
| shouldFail(location.protocol + "//" + location.host + "%23") |
| shouldFail(location.protocol + "//" + location.host + ":80") |
| shouldFail(location.protocol + "//" + location.host + ", *") |
| // The following four disabled tests assume appending null |
| // pointers make difference to the origin. But the HTTPResponse- |
| // -Header in net/ uses \0 as the delimiter to parse raw response |
| // headers so we can not tell the difference. |
| // TODO: Try enable these tests when Cobalt XMLHttpRequest |
| // does not depend on Chromium::net. |
| // shouldFail(location.protocol + "//" + location.host + "\0") |
| shouldFail((location.protocol + "//" + location.host).toUpperCase()) |
| shouldFail(location.protocol.toUpperCase() + "//" + location.host) |
| shouldFail("-") |
| shouldFail("**") |
| // shouldFail("\0*") |
| // shouldFail("*\0") |
| shouldFail("'*'") |
| shouldFail('"*"') |
| shouldFail("* *") |
| shouldFail("*" + location.protocol + "//" + "*") |
| shouldFail("*" + location.protocol + "//" + location.host) |
| shouldFail("* " + location.protocol + "//" + location.host) |
| shouldFail("*, " + location.protocol + "//" + location.host) |
| // shouldFail("\0" + location.protocol + "//" + location.host) |
| shouldFail("null " + location.protocol + "//" + location.host) |
| shouldFail('http://example.net') |
| shouldFail('null') |
| shouldFail('') |
| shouldFail(location.href) |
| shouldFail(dirname(location.href)) |
| shouldFail(CROSSDOMAIN) |
| |
| </script> |