| <!DOCTYPE html> |
| <title>CORS - Access-Control-Allow-Credentials</title> |
| <meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com"> |
| |
| <script src=/resources/testharness.js></script> |
| <script src=/resources/testharnessreport.js></script> |
| <script src=support.js?pipe=sub></script> |
| |
| <h1>CORS - Access-Control-Allow-Credentials</h1> |
| <div id=log></div> |
| <script> |
| |
| var url = CROSSDOMAIN + 'resources/cors-cookie.py?ident=' |
| |
| |
| /* |
| * widthCredentials |
| */ |
| // XXX Do some https tests here as well |
| |
| //sync XHR is not supported by cobalt |
| // test(function () { |
| // var client = new XMLHttpRequest() |
| // client.open('GET', CROSSDOMAIN, false) |
| // client.withCredentials = true; |
| // }, 'Setting withCredentials on a sync XHR object should not throw') |
| |
| async_test(function () { |
| var id = new Date().getTime() + '_1', |
| client = new XMLHttpRequest() |
| client.open("GET", url + id, true) |
| client.onload = this.step_func(function() { |
| assert_equals(client.response, "NO_COOKIE") |
| client.open("GET", url + id, true) |
| client.onload = this.step_func(function() { |
| assert_equals(client.response, "NO_COOKIE") |
| this.done() |
| }) |
| client.send(null) |
| }) |
| client.send(null) |
| |
| }, "Don't send cookie by default"); |
| |
| async_test(function () { |
| var id = new Date().getTime() + '_2', |
| client = new XMLHttpRequest() |
| |
| client.open("GET", url + id, true) |
| client.withCredentials = true |
| client.onload = this.step_func(function() { |
| assert_equals(client.response, "NO_COOKIE", "No cookie in initial request"); |
| |
| /* We have cookie, but the browser shouldn't send */ |
| client.open("GET", url + id, true) |
| client.withCredentials = false |
| client.onload = this.step_func(function() { |
| assert_equals(client.response, "NO_COOKIE", "No cookie after withCredentials=false sync request") |
| |
| /* Reads and deletes the cookie */ |
| client.open("GET", url + id, true) |
| client.withCredentials = true |
| client.onload = this.step_func(function() { |
| assert_equals(client.response, "COOKIE", "Cookie sent in withCredentials=true sync request") |
| this.done() |
| }) |
| client.send(null) |
| }) |
| client.send(null) |
| }) |
| client.send(null) |
| }, "Don't send cookie part 2"); |
| |
| async_test(function () { |
| var id = new Date().getTime() + '_3', |
| client = new XMLHttpRequest() |
| |
| /* Shouldn't set the response cookie */ |
| client.open("GET", url + id, true) |
| client.withCredentials = false |
| client.onload = this.step_func(function() { |
| assert_equals(client.response, "NO_COOKIE", "first"); |
| |
| /* Sets the cookie */ |
| client.open("GET", url + id, true) |
| client.withCredentials = true |
| client.onload = this.step_func(function() { |
| assert_equals(client.response, "NO_COOKIE", "second") |
| |
| /* Reads and deletes the cookie */ |
| client.open("GET", url + id, true) |
| client.withCredentials = true |
| client.onload = this.step_func(function() { |
| assert_equals(client.response, "COOKIE", "third") |
| this.done() |
| }) |
| client.send(null) |
| }) |
| client.send(null) |
| }) |
| client.send(null) |
| }, "Don't obey Set-Cookie when withCredentials=false"); |
| |
| function test_response_header(allow) { |
| var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)') |
| resp_test.step(function() { |
| var client = new XMLHttpRequest() |
| client.open('GET', |
| CROSSDOMAIN + 'resources/cors-makeheader.py?credentials=' + allow, |
| true) |
| client.withCredentials = true; |
| client.onload = resp_test.step_func(function() { |
| assert_unreached("onload") |
| }) |
| client.onerror = resp_test.step_func(function () { |
| assert_equals(client.readyState, client.DONE, 'readyState') |
| resp_test.done() |
| }) |
| client.send() |
| }) |
| } |
| |
| test_response_header('TRUE') |
| test_response_header('True') |
| test_response_header('"true"') |
| test_response_header('false') |
| test_response_header('1') |
| test_response_header('0') |
| |
| </script> |