Merge pull request #112 from Velmont/opera_cors_tests

cors: Add the Opera CORS tests

cors/MANIFEST

@@ -0,0 +1,16 @@
+allow-headers.htm
+basic.htm
+credentials-flag.htm
+origin.htm
+preflight-cache.htm
+redirect-origin.htm
+redirect-preflight-2.htm
+redirect-preflight.htm
+redirect-userinfo.htm
+remote-origin.htm
+request-headers.htm
+response-headers.htm
+simple-requests.htm
+status-async.htm
+status-preflight.htm
+status.htm

cors/allow-headers.htm

@@ -0,0 +1,89 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Access-Control-Allow-Headers handling</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Access-Control-Allow-Headers handling</h1>
+
+<div id=log></div>
+
+<script>
+
+/*
+ * Origin header
+ */
+function shouldPass(origin) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin),
+                    false)
+        client.send()
+        r = JSON.parse(client.response)
+        var host = location.protocol + "//" + location.host
+        assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
+    }, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'));
+}
+
+shouldPass('*');
+shouldPass(' *  ');
+shouldPass('	*');
+shouldPass(location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host + "   	 ");
+shouldPass("	"+location.protocol + "//" + location.host);
+
+
+function shouldFail(origin) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin),
+                    false)
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Disallow origin: ' + origin);
+}
+
+shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
+shouldFail("//" + location.host)
+shouldFail("://" + location.host)
+shouldFail("ftp://" + location.host)
+shouldFail("http:://" + location.host)
+shouldFail("http:/" + location.host)
+shouldFail("http:" + location.host)
+shouldFail(location.host)
+shouldFail(location.protocol + "//" + location.host + "?")
+shouldFail(location.protocol + "//" + location.host + "/")
+shouldFail(location.protocol + "//" + location.host + " /")
+shouldFail(location.protocol + "//" + location.host + "#")
+shouldFail(location.protocol + "//" + location.host + "%23")
+shouldFail(location.protocol + "//" + location.host + ":80")
+shouldFail(location.protocol + "//" + location.host + ", *")
+shouldFail(location.protocol + "//" + location.host + "\0")
+shouldFail((location.protocol + "//" + location.host).toUpperCase())
+shouldFail(location.protocol.toUpperCase() + "//" + location.host)
+shouldFail("-")
+shouldFail("**")
+shouldFail("\0*")
+shouldFail("*\0")
+shouldFail("'*'")
+shouldFail('"*"')
+shouldFail("* *")
+shouldFail("*" + location.protocol + "//" + "*")
+shouldFail("*" + location.protocol + "//" + location.host)
+shouldFail("* " + location.protocol + "//" + location.host)
+shouldFail("*, " + location.protocol + "//" + location.host)
+shouldFail("\0" + location.protocol + "//" + location.host)
+shouldFail("null " + location.protocol + "//" + location.host)
+shouldFail('http://example.net')
+shouldFail('null')
+shouldFail('')
+shouldFail(location.href)
+shouldFail(dirname(location.href))
+shouldFail(CROSSDOMAIN)
+
+</script>

cors/basic.htm

@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Basic CORS</title>
+<meta name=help href=http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#simple-cross-origin-request-0>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+<div id=log></div>
+
+<script>
+
+var counter = 0;
+
+function cors(desc, url) {
+    async_test(desc).step(function() {
+        var client = new XMLHttpRequest();
+        this.count = counter++;
+
+        client.open("GET", url + "resources/cors-makeheader.php?get_value=hest_er_best&origin=none&" + this.count);
+
+        client.onreadystatechange = this.step_func(function(e) {
+            // First request, test that it fails with no origin
+            if (client.readyState < 4) return;
+            if (!url)
+                assert_true(client.response.indexOf("hest_er_best") != -1, "Got response");
+            else
+                assert_false(!!client.response, "Got CORS-disallowed response");
+
+            client = new XMLHttpRequest();
+            client.open("GET", url + "resources/cors-makeheader.php?get_value=hest_er_best&" + this.count);
+            client.onreadystatechange = this.step_func(function(e) {
+                // Second request, test that it passes with the allowed-origin
+                if (client.readyState < 4) return;
+                assert_true(client.response.indexOf("hest_er_best") != -1, "Got CORS-allowed response");
+                this.done();
+            });
+            client.send();
+        });
+        client.send();
+    });
+}
+
+cors("Same domain basic usage", "");
+cors("Cross domain basic usage", CROSSDOMAIN);
+cors("Same domain different port",
+        "http://" + location.hostname + ":" + PORT + dirname(location.pathname));
+
+cors("Cross domain different port",
+        "http://" + SUBDOMAIN + "." + location.hostname + ":"
+        + PORT + dirname(location.pathname));
+
+/* These require HTTPS setup, so will often fail locally */
+cors("Same domain different protocol",
+        'https://' + location.host + dirname(location.pathname));
+
+cors("Cross domain different protocol",
+        CROSSDOMAIN.replace("http:", "https:"));
+
+/* W3C has no "alternative" port for HTTPS. So turn these tests off.
+
+cors("Same domain different protocol different port",
+        "https://" + location.hostname + ":" + PORTS + dirname(location.pathname));
+
+cors("Cross domain different protocol different port",
+        "https://" + SUBDOMAIN + "." + location.hostname + ":"
+        + PORTS + dirname(location.pathname));
+*/
+
+</script>

cors/credentials-flag.htm

@@ -0,0 +1,129 @@
+<!DOCTYPE html>
+<title>CORS - Access-Control-Allow-Credentials</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>CORS - Access-Control-Allow-Credentials</h1>
+<div id=log></div>
+<script>
+
+var url = CROSSDOMAIN + 'resources/cors-cookie.php?ident='
+
+
+/*
+ * widthCredentials
+ */
+// XXX Do some https tests here as well
+test(function () {
+    var client = new XMLHttpRequest()
+    client.open('GET', CROSSDOMAIN, false)
+    assert_throws(null, function() { client.withCredentials = true; }, 'setting withCredentials')
+}, 'Setting withCredentials on a sync XHR object should throw')
+
+async_test(function () {
+    var id = new Date().getTime() + '_1',
+        client = new XMLHttpRequest()
+    client.open("GET", url + id, true)
+    client.onload = this.step_func(function() {
+        assert_equals(client.response, "NO_COOKIE")
+        client.open("GET", url + id, true)
+        client.onload = this.step_func(function() {
+            assert_equals(client.response, "NO_COOKIE")
+            this.done()
+        })
+        client.send(null)
+    })
+    client.send(null)
+
+}, "Don't send cookie by default");
+
+async_test(function () {
+    var id = new Date().getTime() + '_2',
+        client = new XMLHttpRequest()
+
+    client.open("GET", url + id, true)
+    client.withCredentials = true
+    client.onload = this.step_func(function() {
+        assert_equals(client.response, "NO_COOKIE");
+
+        /* We have cookie, but the browser shouldn't send */
+        client.open("GET", url + id, true)
+        client.withCredentials = false
+        client.onload = this.step_func(function() {
+            assert_equals(client.response, "NO_COOKIE")
+
+            /* Reads and deletes the cookie */
+            client.open("GET", url + id, true)
+            client.withCredentials = true
+            client.onload = this.step_func(function() {
+                assert_equals(client.response, "COOKIE")
+                this.done()
+            })
+            client.send(null)
+        })
+        client.send(null)
+    })
+    client.send(null)
+}, "Don't send cookie part 2");
+
+async_test(function () {
+    var id = new Date().getTime() + '_3',
+        client = new XMLHttpRequest()
+
+    /* Shouldn't set the response cookie */
+    client.open("GET", url + id, true)
+    client.withCredentials = false
+    client.onload = this.step_func(function() {
+        console.log(client.response + '_', client.response)
+        assert_equals(client.response, "NO_COOKIE", "first");
+
+        /* Sets the cookie */
+        client.open("GET", url + id, true)
+        client.withCredentials = true
+        client.onload = this.step_func(function() {
+            assert_equals(client.response, "NO_COOKIE", "second")
+
+            /* Reads and deletes the cookie */
+            client.open("GET", url + id, true)
+            client.withCredentials = true
+            client.onload = this.step_func(function() {
+                assert_equals(client.response, "COOKIE", "third")
+                this.done()
+            })
+            client.send(null)
+        })
+        client.send(null)
+    })
+    client.send(null)
+}, "Don't obey Set-Cookie when withCredentials=false");
+
+function test_response_header(allow) {
+    var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)')
+    resp_test.step(function() {
+        var client = new XMLHttpRequest()
+        client.open('GET',
+            CROSSDOMAIN + 'resources/cors-makeheader.php?credentials=' + allow,
+            true)
+        client.withCredentials = true;
+        client.onload = resp_test.step_func(function() {
+            assert_unreached("onload")
+        })
+        client.onerror = resp_test.step_func(function () {
+            assert_equals(client.readyState, client.DONE, 'readyState')
+            resp_test.done()
+        })
+        client.send()
+    })
+}
+
+test_response_header('TRUE')
+test_response_header('True')
+test_response_header('"true"')
+test_response_header('false')
+test_response_header('1')
+test_response_header('0')
+
+</script>