| <!DOCTYPE html> |
| <meta charset=utf-8> |
| <title>Access-Control-Allow-Origin handling</title> |
| <link rel=help href=https://fetch.spec.whatwg.org/> |
| <meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com"> |
| |
| <script src=/resources/testharness.js></script> |
| <script src=/resources/testharnessreport.js></script> |
| <script src=support.js?pipe=sub></script> |
| |
| <h1>Access-Control-Allow-Origin handling</h1> |
| |
| <div id=log></div> |
| |
| <script> |
| |
| /* |
| * Origin header |
| */ |
| function shouldPass(origin) { |
| async_test(function() { |
| var client = new XMLHttpRequest() |
| client.open('GET', CROSSDOMAIN |
| + '/resources/cors-makeheader.py?origin=' |
| + encodeURIComponent(origin), true) |
| client.onerror = this.step_func(function() { |
| assert_unreached("response error") |
| }) |
| client.onload = this.step_func(function(e) { |
| r = JSON.parse(client.response) |
| var host = location.protocol + "//" + location.host |
| assert_equals(r['origin'], host, 'Request Origin: should be ' + host) |
| this.done()}) |
| client.send() |
| }, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_')) |
| } |
| |
| shouldPass('*'); |
| shouldPass(' * '); |
| shouldPass(' *'); |
| shouldPass(location.protocol + "//" + location.host); |
| shouldPass(" "+location.protocol + "//" + location.host); |
| shouldPass(" "+location.protocol + "//" + location.host + " "); |
| shouldPass(" "+location.protocol + "//" + location.host); |
| |
| |
| function shouldFail(origin) { |
| async_test(function () { |
| var client = new XMLHttpRequest() |
| client.open('GET', CROSSDOMAIN |
| + '/resources/cors-makeheader.py?origin=' |
| + encodeURIComponent(origin), |
| true) |
| client.onerror = this.step_func(function(e){ |
| this.done() |
| }) |
| client.onload = this.step_func(function(e){ |
| assert_unreached("should not succeed") |
| }) |
| client.send() |
| }, 'Disallow origin: ' + origin.replace(/\0/g, "\\0")); |
| } |
| |
| shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host) |
| shouldFail("//" + location.host) |
| shouldFail("://" + location.host) |
| shouldFail("ftp://" + location.host) |
| shouldFail("http:://" + location.host) |
| shouldFail("http:/" + location.host) |
| shouldFail("http:" + location.host) |
| shouldFail(location.host) |
| shouldFail(location.protocol + "//" + location.host + "?") |
| shouldFail(location.protocol + "//" + location.host + "/") |
| shouldFail(location.protocol + "//" + location.host + " /") |
| shouldFail(location.protocol + "//" + location.host + "#") |
| shouldFail(location.protocol + "//" + location.host + "%23") |
| shouldFail(location.protocol + "//" + location.host + ":80") |
| shouldFail(location.protocol + "//" + location.host + ", *") |
| // The following four disabled tests assume appending null |
| // pointers make difference to the origin. But the HTTPResponse- |
| // -Header in net/ uses \0 as the delimiter to parse raw response |
| // headers so we can not tell the difference. |
| // TODO: Try enable these tests when Cobalt XMLHttpRequest |
| // does not depend on Chromium::net. |
| // shouldFail(location.protocol + "//" + location.host + "\0") |
| shouldFail((location.protocol + "//" + location.host).toUpperCase()) |
| shouldFail(location.protocol.toUpperCase() + "//" + location.host) |
| shouldFail("-") |
| shouldFail("**") |
| // shouldFail("\0*") |
| // shouldFail("*\0") |
| shouldFail("'*'") |
| shouldFail('"*"') |
| shouldFail("* *") |
| shouldFail("* null") |
| shouldFail("*" + location.protocol + "//" + "*") |
| shouldFail("*" + location.protocol + "//" + location.host) |
| shouldFail("* " + location.protocol + "//" + location.host) |
| shouldFail("*, " + location.protocol + "//" + location.host) |
| // shouldFail("\0" + location.protocol + "//" + location.host) |
| shouldFail("null " + location.protocol + "//" + location.host) |
| shouldFail('http://example.net') |
| shouldFail('null') |
| shouldFail('null *') |
| shouldFail('') |
| shouldFail(location.href) |
| shouldFail(dirname(location.href)) |
| shouldFail(CROSSDOMAIN) |
| shouldFail(location.host.replace(/^[^\.]+\./, "")) |
| shouldFail("." + location.host.replace(/^[^\.]+\./, "")) |
| shouldFail("*." + location.host.replace(/^[^\.]+\./, "")) |
| // The following operation does not change the origin of local host |
| // in Cobalt WPT server's case. |
| // shouldFail("http://" + location.host.replace(/^[^\.]+\./, "")) |
| shouldFail("http://." + location.host.replace(/^[^\.]+\./, "")) |
| shouldFail("http://*." + location.host.replace(/^[^\.]+\./, "")) |
| |
| function doubleOrigin(origin, origin2) { |
| async_test(function () { |
| var client = new XMLHttpRequest() |
| client.open('GET', CROSSDOMAIN |
| + '/resources/cors-makeheader.py?origin=' |
| + encodeURIComponent(origin) |
| + '&origin2=' + encodeURIComponent(origin2), |
| true) |
| client.onerror = this.step_func(function(e){ |
| this.done() |
| }) |
| client.onload = this.step_func(function(e){ |
| assert_unreached("should not succeed") |
| }) |
| client.send() |
| }, 'Disallow multiple headers (' + origin + ', ' + origin2 + ')'); |
| } |
| |
| doubleOrigin('', '*'); |
| doubleOrigin('*', ''); |
| doubleOrigin('*', '*'); |
| doubleOrigin('', location.protocol + "//" + location.host); |
| doubleOrigin('*', location.protocol + "//" + location.host); |
| doubleOrigin(location.protocol + "//" + location.host, location.protocol + "//" + location.host); |
| |
| </script> |