blob: 0d733556872e0d201f341ec25e2d5096c4c0d2ae [file] [log] [blame]
<!DOCTYPE html>
<meta charset=utf-8>
<title>Access-Control-Allow-Origin handling</title>
<link rel=help href=https://fetch.spec.whatwg.org/>
<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js?pipe=sub></script>
<h1>Access-Control-Allow-Origin handling</h1>
<div id=log></div>
<script>
/*
* Origin header
*/
function shouldPass(origin) {
async_test(function() {
var client = new XMLHttpRequest()
client.open('GET', CROSSDOMAIN
+ '/resources/cors-makeheader.py?origin='
+ encodeURIComponent(origin), true)
client.onerror = this.step_func(function() {
 assert_unreached("response error")
})
client.onload = this.step_func(function(e) {
r = JSON.parse(client.response)
var host = location.protocol + "//" + location.host
assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
this.done()})
client.send()
}, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'))
}
shouldPass('*');
shouldPass(' * ');
shouldPass(' *');
shouldPass(location.protocol + "//" + location.host);
shouldPass(" "+location.protocol + "//" + location.host);
shouldPass(" "+location.protocol + "//" + location.host + " ");
shouldPass(" "+location.protocol + "//" + location.host);
function shouldFail(origin) {
async_test(function () {
var client = new XMLHttpRequest()
client.open('GET', CROSSDOMAIN
+ '/resources/cors-makeheader.py?origin='
+ encodeURIComponent(origin),
true)
client.onerror = this.step_func(function(e){
this.done()
})
client.onload = this.step_func(function(e){
 assert_unreached("should not succeed")
})
client.send()
}, 'Disallow origin: ' + origin.replace(/\0/g, "\\0"));
}
shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
shouldFail("//" + location.host)
shouldFail("://" + location.host)
shouldFail("ftp://" + location.host)
shouldFail("http:://" + location.host)
shouldFail("http:/" + location.host)
shouldFail("http:" + location.host)
shouldFail(location.host)
shouldFail(location.protocol + "//" + location.host + "?")
shouldFail(location.protocol + "//" + location.host + "/")
shouldFail(location.protocol + "//" + location.host + " /")
shouldFail(location.protocol + "//" + location.host + "#")
shouldFail(location.protocol + "//" + location.host + "%23")
shouldFail(location.protocol + "//" + location.host + ":80")
shouldFail(location.protocol + "//" + location.host + ", *")
// The following four disabled tests assume appending null
// pointers make difference to the origin. But the HTTPResponse-
// -Header in net/ uses \0 as the delimiter to parse raw response
// headers so we can not tell the difference.
// TODO: Try enable these tests when Cobalt XMLHttpRequest
// does not depend on Chromium::net.
// shouldFail(location.protocol + "//" + location.host + "\0")
shouldFail((location.protocol + "//" + location.host).toUpperCase())
shouldFail(location.protocol.toUpperCase() + "//" + location.host)
shouldFail("-")
shouldFail("**")
// shouldFail("\0*")
// shouldFail("*\0")
shouldFail("'*'")
shouldFail('"*"')
shouldFail("* *")
shouldFail("* null")
shouldFail("*" + location.protocol + "//" + "*")
shouldFail("*" + location.protocol + "//" + location.host)
shouldFail("* " + location.protocol + "//" + location.host)
shouldFail("*, " + location.protocol + "//" + location.host)
// shouldFail("\0" + location.protocol + "//" + location.host)
shouldFail("null " + location.protocol + "//" + location.host)
shouldFail('http://example.net')
shouldFail('null')
shouldFail('null *')
shouldFail('')
shouldFail(location.href)
shouldFail(dirname(location.href))
shouldFail(CROSSDOMAIN)
shouldFail(location.host.replace(/^[^\.]+\./, ""))
shouldFail("." + location.host.replace(/^[^\.]+\./, ""))
shouldFail("*." + location.host.replace(/^[^\.]+\./, ""))
// The following operation does not change the origin of local host
// in Cobalt WPT server's case.
// shouldFail("http://" + location.host.replace(/^[^\.]+\./, ""))
shouldFail("http://." + location.host.replace(/^[^\.]+\./, ""))
shouldFail("http://*." + location.host.replace(/^[^\.]+\./, ""))
function doubleOrigin(origin, origin2) {
async_test(function () {
var client = new XMLHttpRequest()
client.open('GET', CROSSDOMAIN
+ '/resources/cors-makeheader.py?origin='
+ encodeURIComponent(origin)
+ '&origin2=' + encodeURIComponent(origin2),
true)
client.onerror = this.step_func(function(e){
this.done()
})
client.onload = this.step_func(function(e){
assert_unreached("should not succeed")
})
client.send()
}, 'Disallow multiple headers (' + origin + ', ' + origin2 + ')');
}
doubleOrigin('', '*');
doubleOrigin('*', '');
doubleOrigin('*', '*');
doubleOrigin('', location.protocol + "//" + location.host);
doubleOrigin('*', location.protocol + "//" + location.host);
doubleOrigin(location.protocol + "//" + location.host, location.protocol + "//" + location.host);
</script>