1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
<!DOCTYPE html>
<title>CORS - Access-Control-Allow-Credentials</title>
<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js?pipe=sub></script>
<h1>CORS - Access-Control-Allow-Credentials</h1>
<div id=log></div>
<script>
var url = CROSSDOMAIN + 'resources/cors-cookie.py?ident='
/*
* widthCredentials
*/
// XXX Do some https tests here as well
test(function () {
var client = new XMLHttpRequest()
client.open('GET', CROSSDOMAIN, false)
client.withCredentials = true;
}, 'Setting withCredentials on a sync XHR object should not throw')
async_test(function () {
var id = new Date().getTime() + '_1',
client = new XMLHttpRequest()
client.open("GET", url + id, true)
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE")
client.open("GET", url + id, true)
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE")
this.done()
})
client.send(null)
})
client.send(null)
}, "Don't send cookie by default");
async_test(function () {
var id = new Date().getTime() + '_2',
client = new XMLHttpRequest()
client.open("GET", url + id, true)
client.withCredentials = true
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE", "No cookie in initial request");
/* We have cookie, but the browser shouldn't send */
client.open("GET", url + id, true)
client.withCredentials = false
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE", "No cookie after withCredentials=false sync request")
/* Reads and deletes the cookie */
client.open("GET", url + id, true)
client.withCredentials = true
client.onload = this.step_func(function() {
assert_equals(client.response, "COOKIE", "Cookie sent in withCredentials=true sync request")
this.done()
})
client.send(null)
})
client.send(null)
})
client.send(null)
}, "Don't send cookie part 2");
async_test(function () {
var id = new Date().getTime() + '_3',
client = new XMLHttpRequest()
/* Shouldn't set the response cookie */
client.open("GET", url + id, true)
client.withCredentials = false
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE", "first");
/* Sets the cookie */
client.open("GET", url + id, true)
client.withCredentials = true
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE", "second")
/* Reads and deletes the cookie */
client.open("GET", url + id, true)
client.withCredentials = true
client.onload = this.step_func(function() {
assert_equals(client.response, "COOKIE", "third")
this.done()
})
client.send(null)
})
client.send(null)
})
client.send(null)
}, "Don't obey Set-Cookie when withCredentials=false");
function test_response_header(allow) {
var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)')
resp_test.step(function() {
var client = new XMLHttpRequest()
client.open('GET',
CROSSDOMAIN + 'resources/cors-makeheader.py?credentials=' + allow,
true)
client.withCredentials = true;
client.onload = resp_test.step_func(function() {
assert_unreached("onload")
})
client.onerror = resp_test.step_func(function () {
assert_equals(client.readyState, client.DONE, 'readyState')
resp_test.done()
})
client.send()
})
}
test_response_header('TRUE')
test_response_header('True')
test_response_header('"true"')
test_response_header("'true'");
test_response_header('false')
test_response_header('1')
test_response_header('0')
test_response_header(',true');
test_response_header('true,');
test_response_header('true%0B');
test_response_header('true%0C');
</script>
|
