From 16dccc2c48c7d0f2db6419710fd121d6dc6e4aa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Odin=20H=C3=B8rthe=20Omdal?= <odinho@opera.com>
Date: Thu, 23 May 2013 12:20:48 +0200
Subject: [PATCH 1/3] cors: Add the Opera CORS tests

---
 cors/MANIFEST                            |  16 ++
 cors/allow-headers.htm                   |  89 +++++++++++
 cors/basic.htm                           |  71 +++++++++
 cors/credentials-flag.htm                | 112 +++++++++++++
 cors/origin.htm                          | 119 ++++++++++++++
 cors/preflight-cache.htm                 | 143 +++++++++++++++++
 cors/redirect-origin.htm                 | 195 +++++++++++++++++++++++
 cors/redirect-preflight-2.htm            |  54 +++++++
 cors/redirect-preflight.htm              |  63 ++++++++
 cors/redirect-userinfo.htm               | 110 +++++++++++++
 cors/remote-origin.htm                   | 122 ++++++++++++++
 cors/request-headers.htm                 |  80 ++++++++++
 cors/resources/.gitignore                |   1 +
 cors/resources/checkandremovefromlog.php |  34 ++++
 cors/resources/cors-cookie.php           |  21 +++
 cors/resources/cors-headers.php          |  28 ++++
 cors/resources/cors-makeheader.php       |  59 +++++++
 cors/resources/log.php                   |  27 ++++
 cors/resources/preflight.php             |  20 +++
 cors/resources/remote-xhrer.html         |  28 ++++
 cors/resources/status.php                |  40 +++++
 cors/response-headers.htm                | 103 ++++++++++++
 cors/simple-requests.htm                 |  90 +++++++++++
 cors/status-async.htm                    | 112 +++++++++++++
 cors/status-preflight.htm                |  62 +++++++
 cors/status.htm                          |  80 ++++++++++
 cors/support.js                          |  29 ++++
 cors/testrunner.html                     |   8 +
 28 files changed, 1916 insertions(+)
 create mode 100644 cors/MANIFEST
 create mode 100644 cors/allow-headers.htm
 create mode 100644 cors/basic.htm
 create mode 100644 cors/credentials-flag.htm
 create mode 100644 cors/origin.htm
 create mode 100644 cors/preflight-cache.htm
 create mode 100644 cors/redirect-origin.htm
 create mode 100644 cors/redirect-preflight-2.htm
 create mode 100644 cors/redirect-preflight.htm
 create mode 100644 cors/redirect-userinfo.htm
 create mode 100644 cors/remote-origin.htm
 create mode 100644 cors/request-headers.htm
 create mode 100644 cors/resources/.gitignore
 create mode 100755 cors/resources/checkandremovefromlog.php
 create mode 100755 cors/resources/cors-cookie.php
 create mode 100755 cors/resources/cors-headers.php
 create mode 100644 cors/resources/cors-makeheader.php
 create mode 100755 cors/resources/log.php
 create mode 100755 cors/resources/preflight.php
 create mode 100644 cors/resources/remote-xhrer.html
 create mode 100755 cors/resources/status.php
 create mode 100644 cors/response-headers.htm
 create mode 100644 cors/simple-requests.htm
 create mode 100644 cors/status-async.htm
 create mode 100644 cors/status-preflight.htm
 create mode 100644 cors/status.htm
 create mode 100644 cors/support.js
 create mode 100644 cors/testrunner.html

diff --git a/cors/MANIFEST b/cors/MANIFEST
new file mode 100644
index 00000000000000..3572eee7988d17
--- /dev/null
+++ b/cors/MANIFEST
@@ -0,0 +1,16 @@
+allow-headers.htm
+basic.htm
+credentials-flag.htm
+origin.htm
+preflight-cache.htm
+redirect-origin.htm
+redirect-preflight-2.htm
+redirect-preflight.htm
+redirect-userinfo.htm
+remote-origin.htm
+request-headers.htm
+response-headers.htm
+simple-requests.htm
+status-async.htm
+status-preflight.htm
+status.htm
diff --git a/cors/allow-headers.htm b/cors/allow-headers.htm
new file mode 100644
index 00000000000000..aa1e69c6cb5f7c
--- /dev/null
+++ b/cors/allow-headers.htm
@@ -0,0 +1,89 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Access-Control-Allow-Headers handling</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Access-Control-Allow-Headers handling</h1>
+
+<div id=log></div>
+
+<script>
+
+/*
+ * Origin header
+ */
+function shouldPass(origin) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin),
+                    false)
+        client.send()
+        r = JSON.parse(client.response)
+        var host = location.protocol + "//" + location.host
+        assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
+    }, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'));
+}
+
+shouldPass('*');
+shouldPass(' *  ');
+shouldPass('	*');
+shouldPass(location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host + "   	 ");
+shouldPass("	"+location.protocol + "//" + location.host);
+
+
+function shouldFail(origin) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin),
+                    false)
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Disallow origin: ' + origin);
+}
+
+shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
+shouldFail("//" + location.host)
+shouldFail("://" + location.host)
+shouldFail("ftp://" + location.host)
+shouldFail("http:://" + location.host)
+shouldFail("http:/" + location.host)
+shouldFail("http:" + location.host)
+shouldFail(location.host)
+shouldFail(location.protocol + "//" + location.host + "?")
+shouldFail(location.protocol + "//" + location.host + "/")
+shouldFail(location.protocol + "//" + location.host + " /")
+shouldFail(location.protocol + "//" + location.host + "#")
+shouldFail(location.protocol + "//" + location.host + "%23")
+shouldFail(location.protocol + "//" + location.host + ":80")
+shouldFail(location.protocol + "//" + location.host + ", *")
+shouldFail(location.protocol + "//" + location.host + "\0")
+shouldFail((location.protocol + "//" + location.host).toUpperCase())
+shouldFail(location.protocol.toUpperCase() + "//" + location.host)
+shouldFail("-")
+shouldFail("**")
+shouldFail("\0*")
+shouldFail("*\0")
+shouldFail("'*'")
+shouldFail('"*"')
+shouldFail("* *")
+shouldFail("*" + location.protocol + "//" + "*")
+shouldFail("*" + location.protocol + "//" + location.host)
+shouldFail("* " + location.protocol + "//" + location.host)
+shouldFail("*, " + location.protocol + "//" + location.host)
+shouldFail("\0" + location.protocol + "//" + location.host)
+shouldFail("null " + location.protocol + "//" + location.host)
+shouldFail('http://example.net')
+shouldFail('null')
+shouldFail('')
+shouldFail(location.href)
+shouldFail(dirname(location.href))
+shouldFail(CROSSDOMAIN)
+
+</script>
diff --git a/cors/basic.htm b/cors/basic.htm
new file mode 100644
index 00000000000000..3499507c76fca9
--- /dev/null
+++ b/cors/basic.htm
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Basic CORS</title>
+<meta name=help href=http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#simple-cross-origin-request-0>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+<div id=log></div>
+
+<script>
+
+var counter = 0;
+
+function cors(desc, url) {
+    async_test(desc).step(function() {
+        var client = new XMLHttpRequest();
+        this.count = counter++;
+
+        client.open("GET", url + "resources/cors-makeheader.php?get_value=hest_er_best&origin=none&" + this.count);
+
+        client.onreadystatechange = this.step_func(function(e) {
+            // First request, test that it fails with no origin
+            if (client.readyState < 4) return;
+            if (!url)
+                assert_true(client.response.indexOf("hest_er_best") != -1, "Got response");
+            else
+                assert_false(!!client.response, "Got CORS-disallowed response");
+
+            client = new XMLHttpRequest();
+            client.open("GET", url + "resources/cors-makeheader.php?get_value=hest_er_best&" + this.count);
+            client.onreadystatechange = this.step_func(function(e) {
+                // Second request, test that it passes with the allowed-origin
+                if (client.readyState < 4) return;
+                assert_true(client.response.indexOf("hest_er_best") != -1, "Got CORS-allowed response");
+                this.done();
+            });
+            client.send();
+        });
+        client.send();
+    });
+}
+
+cors("Same domain basic usage", "");
+cors("Cross domain basic usage", CROSSDOMAIN);
+cors("Same domain different port",
+        "http://" + location.hostname + ":" + PORT + dirname(location.pathname));
+
+cors("Cross domain different port",
+        "http://" + SUBDOMAIN + "." + location.hostname + ":"
+        + PORT + dirname(location.pathname));
+
+/* These require HTTPS setup, so will often fail locally */
+cors("Same domain different protocol",
+        'https://' + location.host + dirname(location.pathname));
+
+cors("Cross domain different protocol",
+        CROSSDOMAIN.replace("http:", "https:"));
+
+/* W3C has no "alternative" port for HTTPS. So turn these tests off.
+
+cors("Same domain different protocol different port",
+        "https://" + location.hostname + ":" + PORTS + dirname(location.pathname));
+
+cors("Cross domain different protocol different port",
+        "https://" + SUBDOMAIN + "." + location.hostname + ":"
+        + PORTS + dirname(location.pathname));
+*/
+
+</script>
diff --git a/cors/credentials-flag.htm b/cors/credentials-flag.htm
new file mode 100644
index 00000000000000..6e83da69510b16
--- /dev/null
+++ b/cors/credentials-flag.htm
@@ -0,0 +1,112 @@
+<!DOCTYPE html>
+<title>CORS - Access-Control-Allow-Credentials</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>CORS - Access-Control-Allow-Credentials</h1>
+<div id=log></div>
+<script>
+
+var url = CROSSDOMAIN + 'resources/cors-cookie.php?ident='
+
+
+/*
+ * widthCredentials
+ */
+// XXX Do some https tests here as well
+test(function () {
+    var id = new Date().getTime(),
+        client = new XMLHttpRequest()
+    client.open("GET", url + id, false)
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE");
+
+    client.open("GET", url + id, false)
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE")
+}, "Don't send cookie by default");
+
+test(function () {
+    var id = new Date().getTime(),
+        client = new XMLHttpRequest()
+
+    client.open("GET", url + id, false)
+    client.withCredentials = true
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE");
+
+    /* We have cookie, but the browser shouldn't send */
+    client.open("GET", url + id, false)
+    client.withCredentials = false
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE")
+
+    /* Reads and deletes the cookie */
+    client.open("GET", url + id, false)
+    client.withCredentials = true
+    client.send(null)
+    assert_equals(client.response, "COOKIE")
+}, "Don't send cookie part 2");
+
+test(function () {
+    var id = new Date().getTime(),
+        client = new XMLHttpRequest()
+
+    /* Shouldn't set the response cookie */
+    client.open("GET", url + id, false)
+    client.withCredentials = false
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE");
+
+    /* Sets the cookie */
+    client.open("GET", url + id, false)
+    client.withCredentials = true
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE")
+
+    /* Reads and deletes the cookie */
+    client.open("GET", url + id, false)
+    client.withCredentials = true
+    client.send(null)
+    assert_equals(client.response, "COOKIE")
+}, "Don't obey Set-Cookie when withCredentials=false");
+
+function test_response_header(allow) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET',
+            CROSSDOMAIN + 'resources/cors-makeheader.php?credentials=' + allow,
+            false)
+        client.withCredentials = true;
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (sync)')
+
+    var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)')
+    resp_test.step(function() {
+        var client = new XMLHttpRequest()
+        client.open('GET',
+            CROSSDOMAIN + 'resources/cors-makeheader.php?credentials=' + allow,
+            true)
+        client.withCredentials = true;
+        client.onload = resp_test.step_func(function() {
+            assert_unreached("onload")
+        })
+        client.onerror = resp_test.step_func(function () {
+            assert_equals(client.readyState, client.DONE, 'readyState')
+            resp_test.done()
+        })
+        client.send()
+    })
+}
+
+test_response_header('TRUE')
+test_response_header('True')
+test_response_header('"true"')
+test_response_header('false')
+test_response_header('1')
+test_response_header('0')
+
+</script>
diff --git a/cors/origin.htm b/cors/origin.htm
new file mode 100644
index 00000000000000..1f89e4c86a59ef
--- /dev/null
+++ b/cors/origin.htm
@@ -0,0 +1,119 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Access-Control-Allow-Origin handling</title>
+<meta name=help href=http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Access-Control-Allow-Origin handling</h1>
+
+<div id=log></div>
+
+<script>
+
+/*
+ * Origin header
+ */
+function shouldPass(origin) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin),
+                    false)
+        client.send()
+        r = JSON.parse(client.response)
+        var host = location.protocol + "//" + location.host
+        assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
+    }, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'));
+}
+
+shouldPass('*');
+shouldPass(' *  ');
+shouldPass('	*');
+shouldPass(location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host + "   	 ");
+shouldPass("	"+location.protocol + "//" + location.host);
+
+
+function shouldFail(origin) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin),
+                    false)
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Disallow origin: ' + origin.replace(/\0/g, "\\0"));
+}
+
+shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
+shouldFail("//" + location.host)
+shouldFail("://" + location.host)
+shouldFail("ftp://" + location.host)
+shouldFail("http:://" + location.host)
+shouldFail("http:/" + location.host)
+shouldFail("http:" + location.host)
+shouldFail(location.host)
+shouldFail(location.protocol + "//" + location.host + "?")
+shouldFail(location.protocol + "//" + location.host + "/")
+shouldFail(location.protocol + "//" + location.host + " /")
+shouldFail(location.protocol + "//" + location.host + "#")
+shouldFail(location.protocol + "//" + location.host + "%23")
+shouldFail(location.protocol + "//" + location.host + ":80")
+shouldFail(location.protocol + "//" + location.host + ", *")
+shouldFail(location.protocol + "//" + location.host + "\0")
+shouldFail((location.protocol + "//" + location.host).toUpperCase())
+shouldFail(location.protocol.toUpperCase() + "//" + location.host)
+shouldFail("-")
+shouldFail("**")
+shouldFail("\0*")
+shouldFail("*\0")
+shouldFail("'*'")
+shouldFail('"*"')
+shouldFail("* *")
+shouldFail("* null")
+shouldFail("*" + location.protocol + "//" + "*")
+shouldFail("*" + location.protocol + "//" + location.host)
+shouldFail("* " + location.protocol + "//" + location.host)
+shouldFail("*, " + location.protocol + "//" + location.host)
+shouldFail("\0" + location.protocol + "//" + location.host)
+shouldFail("null " + location.protocol + "//" + location.host)
+shouldFail('http://example.net')
+shouldFail('null')
+shouldFail('null *')
+shouldFail('')
+shouldFail(location.href)
+shouldFail(dirname(location.href))
+shouldFail(CROSSDOMAIN)
+shouldFail(location.host.replace(/^[^\.]+\./, ""))
+shouldFail("." + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("*." + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("http://" + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("http://." + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("http://*." + location.host.replace(/^[^\.]+\./, ""))
+
+function doubleOrigin(origin, origin2) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin)
+                            + '&origin2=' + encodeURIComponent(origin2),
+                    false)
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Disallow multiple headers (' + origin + ', ' + origin2 + ')');
+}
+
+doubleOrigin('', '*');
+doubleOrigin('*', '');
+doubleOrigin('*', '*');
+doubleOrigin('', location.protocol + "//" + location.host);
+doubleOrigin('*', location.protocol + "//" + location.host);
+doubleOrigin(location.protocol + "//" + location.host, location.protocol + "//" + location.host);
+
+</script>
diff --git a/cors/preflight-cache.htm b/cors/preflight-cache.htm
new file mode 100644
index 00000000000000..2f8b201267f661
--- /dev/null
+++ b/cors/preflight-cache.htm
@@ -0,0 +1,143 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - preflight cache</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Preflight cache</h1>
+
+<div id=log></div>
+<script>
+
+/*
+ * Cache
+ */
+
+function did_preflight(expect, client, ident, settings) {
+    if(!settings)
+        settings = {}
+
+    set = {
+        method: 'method' in settings ? settings.method : 'GET',
+        extra: 'extra' in settings ? '&' + settings.extra : ''
+    }
+
+    client.open(set.method,
+            CROSSDOMAIN + 'resources/preflight.php?ident=' + ident + set.extra,
+            false)
+    client.setRequestHeader('x-print', ident)
+    client.send()
+
+    client.open('GET', 'resources/checkandremovefromlog.php?ident=' + ident, false)
+    client.send()
+    assert_equals(client.response, expect === true ? '1' : '0', "did preflight")
+}
+
+/*
+ * Should run preflight
+ */
+var test_c = 0;
+
+test(function() {
+    test_c++;
+    var time = new Date().getTime()
+    var client = new XMLHttpRequest()
+    did_preflight(true, client, test_c + '_' + time)
+},
+'Test preflight')
+
+test(function() {
+    test_c++;
+    var time = new Date().getTime()
+    var client = new XMLHttpRequest()
+
+    did_preflight(true,  client, test_c + '_' + time)
+    did_preflight(false, client, test_c + '_' + time)
+},
+'preflight for x-print should be cached')
+
+test(function() {
+    test_c++;
+    var time = new Date().getTime()
+    var client = new XMLHttpRequest()
+
+    did_preflight(true, client, test_c + '_' + time, {extra:'max_age=0'})
+    did_preflight(true, client, test_c + '_' + time, {extra:'max_age=0'})
+},
+'age = 0, should not be cached')
+
+test(function() {
+    test_c++;
+    var time = new Date().getTime()
+    var client = new XMLHttpRequest()
+
+    did_preflight(true, client, test_c + '_' + time, {extra:'max_age=-1'})
+    did_preflight(true, client, test_c + '_' + time, {extra:'max_age=-1'})
+},
+'age = -1, should not be cached')
+
+;(function() {
+    test_c++;
+    var test = async_test("preflight first request, second from cache, wait, third should preflight again", { timeout: 6000 }),
+        time = new Date().getTime(),
+        dothing = function (url, msg, set_request, func) {
+            client = new XMLHttpRequest(),
+            client.open('GET', url + test_c + "_" + time, true)
+            if (set_request)
+                client.setRequestHeader('x-print', msg)
+            client.onreadystatechange = test.step_func(function() {
+                if(client.readyState >= 4) {
+                    assert_equals(client.response, msg, "response")
+                    if (func)
+                        test.step(func)
+                }
+            })
+            client.onerror = test.step_func(function(e) {
+                assert_unreached("Got unexpected error event on the XHR object")
+            })
+            client.send()
+        }
+
+    test.step(function() {
+        /* First cycle, gets x-print into the cache, with timeout 1 */
+        dothing(CROSSDOMAIN + 'resources/preflight.php?max_age=1&ident=',
+        'first', true, function(){
+            test = test;
+
+            /* Check if we did a preflight like we expected */
+            dothing('resources/checkandremovefromlog.php?1&ident=',
+            '1', false, function(){
+                test = test;
+                dothing(CROSSDOMAIN + 'resources/preflight.php?max_age=1&ident=',
+                'second', true, function() {
+                    test = test;
+
+                    /* Check that we didn't do a preflight (hasn't gone 1 second yet) */
+                    dothing('resources/checkandremovefromlog.php?2&ident=',
+                    '0', false, function(){
+                        test = test;
+
+                        /* Wait until the preflight cache age is old (and thus cleared) */
+                        setTimeout(test.step_func(function(){
+                            dothing(CROSSDOMAIN + 'resources/preflight.php?max_age=1&ident=',
+                            'third', true, function(){
+                                test = test;
+
+                                /* Expect that we did indeed do a preflight */
+                                dothing('resources/checkandremovefromlog.php?3&ident=',
+                                '1', false, function(){
+                                    test.done()
+                                })
+                            })
+                        }), 1500)
+                    })
+                })
+            })
+        })
+    })
+})();
+
+</script>
diff --git a/cors/redirect-origin.htm b/cors/redirect-origin.htm
new file mode 100644
index 00000000000000..a9379a43249510
--- /dev/null
+++ b/cors/redirect-origin.htm
@@ -0,0 +1,195 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - redirect</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>CORS redirect handling</h1>
+
+<div id=log></div>
+
+<script>
+
+    // Test count for cache busting and easy identifying of request in traffic analyzer
+    var num_test = 0,
+
+        origin         = location.protocol + "//" + location.host,
+        remote_origin  = origin.replace('://', '://' + SUBDOMAIN + '.'),
+
+        local   = dirname(location.href) + 'resources/cors-makeheader.php',
+        remote  = local.replace('://', '://' + SUBDOMAIN + '.'),
+        remote2 = local.replace('://', '://' + SUBDOMAIN2 + '.');
+
+
+    /*           First page           Redirect to          Expect what  */
+
+    // local -> remote
+
+    redir_test([ 'local',  '*'    ], [ 'remote', '*'    ], origin    );
+    redir_test([ 'local',  '*'    ], [ 'remote', origin ], origin    );
+    redir_test([ 'local',  '*'    ], [ 'remote', 'null' ], 'disallow');
+    redir_test([ 'local',  '*'    ], [ 'remote', 'none' ], 'disallow');
+
+    redir_test([ 'local',  origin ], [ 'remote', '*'    ], origin    );
+    redir_test([ 'local',  origin ], [ 'remote', origin ], origin    );
+    redir_test([ 'local',  origin ], [ 'remote', 'null' ], 'disallow');
+    redir_test([ 'local',  origin ], [ 'remote', 'none' ], 'disallow');
+
+    redir_test([ 'local',  'null' ], [ 'remote', '*'    ], origin    );
+    redir_test([ 'local',  'none' ], [ 'remote', '*'    ], origin    );
+
+
+    // remote -> local
+
+    redir_test([ 'remote',  '*'    ], [ 'local', '*'    ], 'null'    );
+    redir_test([ 'remote',  '*'    ], [ 'local', origin ], 'disallow');
+    redir_test([ 'remote',  '*'    ], [ 'local', 'null' ], 'null'    );
+    redir_test([ 'remote',  '*'    ], [ 'local', 'none' ], 'disallow');
+
+    redir_test([ 'remote',  origin ], [ 'local', '*'    ], 'null'    );
+    redir_test([ 'remote',  origin ], [ 'local', origin ], 'disallow');
+    redir_test([ 'remote',  origin ], [ 'local', 'null' ], 'null'    );
+    redir_test([ 'remote',  origin ], [ 'local', 'none' ], 'disallow');
+
+    redir_test([ 'remote',  'null' ], [ 'local', '*'    ], 'disallow');
+    redir_test([ 'remote',  'none' ], [ 'local', '*'    ], 'disallow');
+
+
+    // remote -> remote
+
+    redir_test([ 'remote',  '*'    ], [ 'remote', '*'    ], origin    );
+    redir_test([ 'remote',  '*'    ], [ 'remote', origin ], origin    );
+    redir_test([ 'remote',  '*'    ], [ 'remote', 'null' ], 'disallow');
+    redir_test([ 'remote',  '*'    ], [ 'remote', 'none' ], 'disallow');
+
+    redir_test([ 'remote',  origin ], [ 'remote', '*'    ], origin    );
+    redir_test([ 'remote',  origin ], [ 'remote', origin ], origin    );
+    redir_test([ 'remote',  origin ], [ 'remote', 'null' ], 'disallow');
+    redir_test([ 'remote',  origin ], [ 'remote', 'none' ], 'disallow');
+
+    redir_test([ 'remote',  'null' ], [ 'remote', '*'    ], 'disallow');
+    redir_test([ 'remote',  'none' ], [ 'remote', '*'    ], 'disallow');
+
+
+    // remote -> remote2
+
+    redir_test([ 'remote',  '*'    ], [ 'remote2', '*'    ], 'null'    );
+    redir_test([ 'remote',  '*'    ], [ 'remote2', origin ], 'disallow');
+    redir_test([ 'remote',  '*'    ], [ 'remote2', 'null' ], 'null'    );
+    redir_test([ 'remote',  '*'    ], [ 'remote2', 'none' ], 'disallow');
+
+    redir_test([ 'remote',  origin ], [ 'remote2', '*'    ], 'null'    );
+    redir_test([ 'remote',  origin ], [ 'remote2', origin ], 'disallow');
+    redir_test([ 'remote',  origin ], [ 'remote2', 'null' ], 'null');
+    redir_test([ 'remote',  origin ], [ 'remote2', 'none' ], 'disallow');
+
+    redir_test([ 'remote',  'null' ], [ 'remote2', '*'    ], 'disallow');
+    redir_test([ 'remote',  'none' ], [ 'remote2', '*'    ], 'disallow');
+
+
+    // Bonus weird edge checks
+
+    redir_test([ 'remote', '*'           ], [ 'remote',  remote_origin ], 'disallow');
+    redir_test([ 'remote', '*'           ], [ 'remote2', remote_origin ], 'disallow');
+    redir_test([ 'remote', remote_origin ], [ 'remote',  "*"           ], 'disallow');
+
+
+
+    /*
+     * The helpers
+     */
+
+    function redir_test(first, second, expect_origin) {
+        var first_url, second_url,
+            urls = { "remote": remote, "local": local, "remote2": remote2 };
+
+        first_url = urls[first[0]] + "?origin=" + first[1];
+        second_url = urls[second[0]] + "?origin=" + second[1];
+
+        if (expect_origin=="disallow") {
+            shouldFail(first[0]+" ("+first[1]+") to "
+                + second[0]+" ("+second[1]+"), expect to fail", [ first_url, second_url ]);
+        }
+        else {
+            shouldPass(first[0]+" ("+first[1]+") to "
+                + second[0]+" ("+second[1]+"), expect origin="+expect_origin, expect_origin, [ first_url, second_url ]);
+        }
+
+    }
+
+    function shouldPass(desc, expected_origin, urls) {
+        var test_id = num_test,
+            t = async_test(desc);
+
+        num_test++;
+
+        t.step(function() {
+            var final_url,
+                client = new XMLHttpRequest();
+
+            client.open('GET', buildURL(urls, test_id));
+
+            client.onreadystatechange = t.step_func(function() {
+                if (client.readyState != client.DONE)
+                    return;
+                assert_true(!!client.response, "Got response");
+                r = JSON.parse(client.response)
+                assert_equals(r['origin'], expected_origin, 'Origin Header')
+                assert_equals(r['get_value'], 'last', 'get_value')
+                t.done();
+            });
+            client.send(null)
+        });
+    }
+
+    function shouldFail(desc, urls) {
+        var test_id = num_test,
+            t = async_test(desc);
+
+        num_test++;
+
+        t.step(function() {
+            var client = new XMLHttpRequest();
+
+            client.open('GET', buildURL(urls, test_id));
+
+            client.onreadystatechange = t.step_func(function() {
+                if (client.readyState != client.DONE)
+                    return;
+                assert_false(!!client.response, "Got response");
+            });
+            client.onerror = t.step_func(function(e) {
+                t.done();
+            });
+
+            client.send(null)
+        });
+    }
+
+
+    function buildURL(urls, id) {
+        var tmp_url;
+
+        if (typeof(urls) == "string") {
+            return urls + "&" + id + "_0";
+        }
+
+        for (var i = urls.length; i--; ) {
+            if (!tmp_url)
+            {
+                tmp_url = urls[i] + "&get_value=last&" + id + "_" + i;
+                continue;
+            }
+            tmp_url = urls[i]
+                        + "&location="
+                        + encodeURIComponent(tmp_url)
+                        + "&" + id + "_" + i;
+        }
+
+        return tmp_url;
+    }
+
+</script>
diff --git a/cors/redirect-preflight-2.htm b/cors/redirect-preflight-2.htm
new file mode 100644
index 00000000000000..cf441bc60dca69
--- /dev/null
+++ b/cors/redirect-preflight-2.htm
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - preflight after a redirect</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Preflight after redirect</h1>
+
+<div id=log></div>
+<script>
+
+async_test(function() {
+    var test_id = "fail_" +  new Date().getTime()
+    var client = new XMLHttpRequest()
+    var last_url = CROSSDOMAIN + 'resources/cors-makeheader.php?origin=*&ident=' + test_id
+
+    client.open('GET', 'resources/cors-makeheader.php?origin=*&location=' + encodeURIComponent(last_url))
+    client.setRequestHeader('custom-header', 'admin')
+    client.onerror = this.step_func(function() {
+        this.done()
+    })
+    client.onload = this.step_func(function(e) { assert_unreached("Request should not succeed!") })
+    client.send()
+}, "Same-origin custom-header request, redirect to cross-origin fails after doing a non-successful preflight")
+
+
+async_test(function() {
+    var test_id = "success_" +  new Date().getTime()
+    var client = new XMLHttpRequest()
+    var last_url = CROSSDOMAIN + 'resources/cors-makeheader.php?headers=custom-header&origin=*&ident=' + test_id
+
+    client.open('GET', 'resources/cors-makeheader.php?origin=*&location=' + encodeURIComponent(last_url))
+    client.setRequestHeader('custom-header', 'admin')
+    client.onload = this.step_func(function() {
+        // Test that I got custom-header
+
+        /* To check whether we did a preflight */
+        client.open('GET', 'resources/checkandremovefromlog.php?ident=' + test_id)
+        client.onload = this.step_func(function() {
+            assert_equals(client.response, "1", "did preflight")
+            this.done()
+        })
+        client.onerror = this.step_func(function(e) { assert_unreached("Error on getting preflight data") })
+        client.send()
+    })
+    client.onerror = this.step_func(function(e) { assert_unreached("Error during request", e) })
+    client.send()
+}, "Same-origin custom-header request, redirect to cross-origin succeeds after doing a preflight")
+
+
+</script>
diff --git a/cors/redirect-preflight.htm b/cors/redirect-preflight.htm
new file mode 100644
index 00000000000000..e98b3107f8fedf
--- /dev/null
+++ b/cors/redirect-preflight.htm
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - redirect with preflight</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Redirect with preflight</h1>
+
+<div id=log></div>
+<script>
+
+var req_c = 0 // Request count for cache busting and easy identifying of request in traffic analyzer
+
+/*
+ * Redirection with preflights
+ */
+
+function redir_preflight(code) {
+    test(function() {
+        var client = new XMLHttpRequest(),
+            redirect = CROSSDOMAIN + 'resources/cors-makeheader.php?headers=x-test&' + req_c++
+
+        client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.php?'
+                           + 'headers=x-test&location=' + encodeURIComponent(redirect)
+                           + '&code=' + code + '&preflight=' + code + '&' + req_c++,
+                    false)
+        client.setRequestHeader('x-test', 'test')
+        assert_throws(null, function() { client.send(null) });
+
+    },
+    'Redirect ' + code + ' on preflight')
+}
+redir_preflight(301)
+redir_preflight(302)
+redir_preflight(303)
+redir_preflight(307)
+
+/* Even thought the preflight was allowed (200), CORS should not follow
+   a subsequent redirect */
+function redir_after_preflight(code) {
+    test(function() {
+        var client = new XMLHttpRequest(),
+            redirect = CROSSDOMAIN + 'resources/cors-makeheader.php?headers=x-test&' + req_c++
+
+        client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.php?'
+                           + 'preflight=200&headers=x-test&location='
+                           + encodeURIComponent(redirect) + '&code=' + code + '&' + req_c++,
+                    false)
+        client.setRequestHeader('x-test', 'test')
+        assert_throws(null, function() { client.send(null) });
+
+    },
+    'Disallow redirect ' + code + ' after succesful (200) preflight')
+}
+redir_after_preflight(301)
+redir_after_preflight(302)
+redir_after_preflight(303)
+redir_after_preflight(307)
+
+</script>
diff --git a/cors/redirect-userinfo.htm b/cors/redirect-userinfo.htm
new file mode 100644
index 00000000000000..58216467997aa0
--- /dev/null
+++ b/cors/redirect-userinfo.htm
@@ -0,0 +1,110 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - redirect with userinfo</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odinho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>CORS userinfo redirect handling</h1>
+
+<div id=log></div>
+
+<script>
+
+    // Test count for cache busting and easy identifying of request in traffic analyzer
+    var num_test = 0
+
+    shouldFail("Disallow redirect with userinfo (//user:pass@)", [
+                    CROSSDOMAIN + "resources/cors-makeheader.php?",
+                    CROSSDOMAIN.replace("http://", "http://test:test@") + "resources/cors-makeheader.php?"]);
+
+    shouldFail("Disallow redirect with userinfo (//user:@)", [
+                    CROSSDOMAIN + "resources/cors-makeheader.php?",
+                    CROSSDOMAIN.replace("http://", "http://user:@") + "resources/cors-makeheader.php?"]);
+
+    shouldFail("Disallow redirect with userinfo (//user@)", [
+                    CROSSDOMAIN + "resources/cors-makeheader.php?",
+                    CROSSDOMAIN.replace("http://", "http://user:@") + "resources/cors-makeheader.php?"]);
+
+    shouldFail("Disallow redirect with userinfo (//:@)", [
+                    CROSSDOMAIN + "resources/cors-makeheader.php?",
+                    CROSSDOMAIN.replace("http://", "http://:@") + "resources/cors-makeheader.php?"]);
+
+    shouldFail("Disallow redirect with userinfo (//:pass@)", [
+                    CROSSDOMAIN + "resources/cors-makeheader.php?",
+                    CROSSDOMAIN.replace("http://", "http://:pass@") + "resources/cors-makeheader.php?"]);
+
+    shouldPass("Allow redirect with userinfo (//@)", [
+                    CROSSDOMAIN + "resources/cors-makeheader.php?",
+                    CROSSDOMAIN.replace("http://", "http://@") + "resources/cors-makeheader.php?"]);
+
+    function shouldFail(desc, urls) {
+        var test_id = num_test,
+            t = async_test(desc);
+
+        num_test++;
+
+        t.step(function() {
+            var client = new XMLHttpRequest();
+
+            client.open('GET', buildURL(urls, test_id));
+
+            client.onload = t.step_func(function() {
+                assert_false(!!client.response, "Got response");
+            });
+            client.onerror = t.step_func(function(e) {
+                t.done();
+            });
+
+            client.send(null)
+        });
+    }
+
+    function shouldPass(desc, urls) {
+        var test_id = num_test,
+            t = async_test(desc);
+
+        num_test++;
+
+        t.step(function() {
+            var client = new XMLHttpRequest();
+
+            client.open('GET', buildURL(urls, test_id));
+
+            client.onreadystatechange = t.step_func(function() {
+                if (client.readyState != client.DONE)
+                    return;
+                assert_true(!!client.response, "Got response");
+                r = JSON.parse(client.response)
+                assert_equals(r['get_value'], 'last', 'get_value')
+                t.done();
+            });
+            client.send(null)
+        });
+    }
+
+    function buildURL(urls, id) {
+        var tmp_url;
+
+        if (typeof(urls) == "string") {
+            return urls + "&" + id + "_0";
+        }
+
+        for (var i = urls.length; i--; ) {
+            if (!tmp_url)
+            {
+                tmp_url = urls[i] + "&get_value=last&" + id + "_" + i;
+                continue;
+            }
+            tmp_url = urls[i]
+                        + "&location="
+                        + encodeURIComponent(tmp_url)
+                        + "&" + id + "_" + i;
+        }
+
+        return tmp_url;
+    }
+
+</script>
diff --git a/cors/remote-origin.htm b/cors/remote-origin.htm
new file mode 100644
index 00000000000000..13fe68ecfcb8a0
--- /dev/null
+++ b/cors/remote-origin.htm
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Access-Control-Allow-Origin handling</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Access-Control-Allow-Origin handling</h1>
+
+<div id=log></div>
+
+<script>
+
+var remote_tests = [];
+var iframe = document.createElement("iframe")
+iframe.src = CROSSDOMAIN + 'resources/remote-xhrer.html';
+document.body.appendChild(iframe);
+
+function reverseOrigin(expect_pass, origin)
+{
+    var real_origin = origin.replace("<host>", REMOTE_HOST)
+                        .replace("<remote_origin>", location.protocol + "//" + location.host)
+                        .replace("<origin>", REMOTE_ORIGIN)
+                        .replace("<protocol>", REMOTE_PROTOCOL)
+                        .replace("<HOST>", REMOTE_HOST.toUpperCase())
+                        .replace("<ORIGIN>", REMOTE_ORIGIN.toUpperCase())
+                        .replace("<PROTOCOL>", REMOTE_PROTOCOL.toUpperCase());
+
+    var t = async_test((expect_pass ? 'Allow origin: ' : 'Disallow origin: ') + real_origin
+                            .replace(/\0/g, "\\0")
+                            .replace(/\t/g, "[tab]")
+                            .replace(/ /g, '_'));
+    t.step(function() {
+        this.test_url = dirname(location.href)
+                            + 'resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(real_origin);
+        iframe.contentWindow.postMessage({ url: this.test_url, origin: origin }, "*");
+    });
+
+    if (expect_pass)
+    {
+        t.callback = t.step_func(function(e) {
+            assert_equals(e.state, "load");
+            r = JSON.parse(e.response)
+            assert_equals(r['origin'], REMOTE_ORIGIN, 'Request Origin: should be ' + REMOTE_ORIGIN)
+            this.done();
+        });
+    }
+    else
+    {
+        t.callback = t.step_func(function(e) {
+            if (e.response) console.log(e.response);
+            assert_equals(e.state, "error");
+            assert_equals(e.response, "");
+            this.done();
+        });
+    }
+
+    remote_tests[origin] = t;
+}
+
+function shouldPass(origin) { reverseOrigin(true, origin); }
+function shouldFail(origin) { reverseOrigin(false, origin); }
+
+
+iframe.onload = function() {
+    shouldPass('*');
+    shouldPass(' *  ');
+    shouldPass('	*');
+    shouldPass("<origin>");
+    shouldPass(" <origin>");
+    shouldPass(" <origin>   	 ");
+    shouldPass("	<origin>");
+
+    shouldFail("<remote_origin>")
+    shouldFail("//" + "<host>")
+    shouldFail("://" + "<host>")
+    shouldFail("ftp://" + "<host>")
+    shouldFail("http:://" + "<host>")
+    shouldFail("http:/" + "<host>")
+    shouldFail("http:" + "<host>")
+    shouldFail("<host>")
+    shouldFail("<origin>" + "?")
+    shouldFail("<origin>" + "/")
+    shouldFail("<origin>" + " /")
+    shouldFail("<origin>" + "#")
+    shouldFail("<origin>" + "%23")
+    shouldFail("<origin>" + ":80")
+    shouldFail("<origin>" + ", *")
+    shouldFail("<origin>" + "\0")
+    shouldFail(("<ORIGIN>"))
+    shouldFail("<PROTOCOL>//<host>")
+    shouldFail("<protocol>//<HOST>")
+    shouldFail("-")
+    shouldFail("**")
+    shouldFail("\0*")
+    shouldFail("*\0")
+    shouldFail("'*'")
+    shouldFail('"*"')
+    shouldFail("* *")
+    shouldFail("*" + "<protocol>" + "//" + "*")
+    shouldFail("*" + "<origin>")
+    shouldFail("* " + "<origin>")
+    shouldFail("*, " + "<origin>")
+    shouldFail("\0" + "<origin>")
+    shouldFail("null " + "<origin>")
+    shouldFail('http://example.net')
+    shouldFail('null')
+    shouldFail('')
+    shouldFail(location.href)
+    shouldFail(dirname(location.href))
+    shouldFail(CROSSDOMAIN)
+}
+
+window.addEventListener("message", function(e) {
+    remote_tests[e.data.origin].callback(e.data);
+});
+
+add_completion_callback(function() {
+    iframe.parentElement.removeChild(iframe);
+});
+</script>
diff --git a/cors/request-headers.htm b/cors/request-headers.htm
new file mode 100644
index 00000000000000..335f5490a208c7
--- /dev/null
+++ b/cors/request-headers.htm
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - request headers - Access-Control-Allow-Headers</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Request headers</h1>
+<div id=log></div>
+<script>
+
+/*
+ * Request Headers
+ */
+
+test(function() {
+    var client = new XMLHttpRequest()
+    client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.php?headers=x-print', false)
+    client.setRequestHeader('x-print', 'unicorn')
+    client.send(null)
+
+    res = JSON.parse(client.response)
+    assert_equals(res['x-print'], 'unicorn')
+}, 'basic request header')
+
+test(function() {
+    var client = new XMLHttpRequest()
+    client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.php?headers=x-print,', false)
+    client.setRequestHeader('x-print', 'unicorn')
+    client.setRequestHeader('content-type', 'text/plain')
+    client.setRequestHeader('accept', 'test')
+    client.setRequestHeader('accept-language', 'nn')
+    client.setRequestHeader('content-language', 'nn')
+    client.send(null)
+
+    res = JSON.parse(client.response)
+    assert_equals(res['x-print'], 'unicorn')
+    assert_equals(res['content-type'], 'text/plain')
+    assert_equals(res['accept'], 'test')
+    assert_equals(res['accept-language'], 'nn')
+    assert_equals(res['content-language'], 'nn')
+}, 'Simple request headers need not be in allow-headers')
+
+test(function() {
+    var client = new XMLHttpRequest()
+    client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.php?headers=x-print', false)
+    client.setRequestHeader('x-print', 'unicorn')
+    client.setRequestHeader('y-print', 'unicorn')
+    assert_throws(null, function() { client.send(null) })
+}, 'Unspecified request headers are disallowed')
+
+test(function() {
+    var client = new XMLHttpRequest()
+    client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.php?headers=,y-lol,x-PriNT,%20,,,Y-PRINT', false)
+    client.setRequestHeader('x-print', 'unicorn')
+    client.setRequestHeader('y-print', 'narwhal')
+    client.send(null)
+
+    res = JSON.parse(client.response)
+    assert_equals(res['x-print'], 'unicorn')
+    assert_equals(res['y-print'], 'narwhal')
+}, 'Strange allowheaders (case insensitive)')
+
+test(function() {
+    var client = new XMLHttpRequest()
+    assert_throws('INVALID_STATE_ERR', function() { client.setRequestHeader('x-print', 'unicorn') })
+},
+'INVALID_STATE_ERR on setRequestHeader before open()')
+
+test(function() {
+    var client = new XMLHttpRequest()
+    client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.php?headers=,y-lol,x-PriNT,%20,,,Y-PRINT', false)
+    client.send()
+    assert_throws('INVALID_STATE_ERR', function() { client.setRequestHeader('x-print', 'unicorn') })
+},
+'INVALID_STATE_ERR on setRequestHeader after send()')
+
+</script>
diff --git a/cors/resources/.gitignore b/cors/resources/.gitignore
new file mode 100644
index 00000000000000..7b987d03655fd0
--- /dev/null
+++ b/cors/resources/.gitignore
@@ -0,0 +1 @@
+logs.txt
diff --git a/cors/resources/checkandremovefromlog.php b/cors/resources/checkandremovefromlog.php
new file mode 100755
index 00000000000000..8cef887ff15364
--- /dev/null
+++ b/cors/resources/checkandremovefromlog.php
@@ -0,0 +1,34 @@
+<?php
+  $file_name = 'logs.txt';
+  $ident = isset($_GET['ident']) ? $_GET['ident'] : NULL;
+  $buffer = '';
+  $obj;
+
+  $file = fopen($file_name,'r+');
+
+  if (filesize($file_name))
+  {
+    $buffer = fread($file, filesize($file_name));
+
+    if ($buffer)
+      $obj = json_decode($buffer);
+  }
+
+  if (isset($ident))
+    if ($obj->$ident)
+    {
+      print "1";
+
+      unset($obj->$ident);
+
+      $buffer = json_encode($obj);
+
+      rewind($file);
+      ftruncate($file, 0);
+      fwrite($file, $buffer);
+    }
+    else
+      print "0";
+
+  fclose($file);
+?>
diff --git a/cors/resources/cors-cookie.php b/cors/resources/cors-cookie.php
new file mode 100755
index 00000000000000..6fe109daaa5d2a
--- /dev/null
+++ b/cors/resources/cors-cookie.php
@@ -0,0 +1,21 @@
+<?php
+ $origin = isset($_GET['origin']) ? $_GET['origin'] : $_SERVER['HTTP_ORIGIN'];
+ $credentials = isset($_GET['credentials']) ? $_GET['credentials'] : 'true';
+
+ header("Content-Type: text/plain");
+ if ($origin != 'none')
+   header("Access-Control-Allow-Origin: {$origin}");
+ if ($credentials != 'none')
+   header("Access-Control-Allow-Credentials: {$credentials}");
+
+ $ident = isset($_GET['ident']) ? $_GET['ident'] : 'test';
+
+ if (isset($_COOKIE[$ident])) {
+   /* Delete the cookie */
+   header("Set-Cookie: $ident=COOKIE; expires=Fri, 27 Jul 2001 02:47:11 UTC");
+   echo $_COOKIE[$ident];
+ }
+ else {
+   header("Set-Cookie: $ident=COOKIE");
+   echo 'NO_COOKIE';
+ }
diff --git a/cors/resources/cors-headers.php b/cors/resources/cors-headers.php
new file mode 100755
index 00000000000000..de29c69efefc53
--- /dev/null
+++ b/cors/resources/cors-headers.php
@@ -0,0 +1,28 @@
+<?php
+ header("Access-Control-Allow-Origin: *");
+ header("Access-Control-Expose-Headers: X-Custom-Header, X-Custom-Header-Empty, X-Custom-Header-Comma, X-Custom-Header-Bytes");
+ header("Access-Control-Expose-Headers: X-Second-Expose", false);
+ header("Access-Control-Expose-Headers: Date", false);
+
+ header("Content-Type: text/plain");
+
+ header("X-Custom-Header: test");
+ header("X-Custom-Header: test");
+ header("Set-Cookie: test1=t1;max-age=2");
+ header("Set-Cookie2: test2=t2;Max-Age=2");
+ header("X-Custom-Header-Empty:");
+ header("X-Custom-Header-Comma: 1");
+ header("X-Custom-Header-Comma: 2", false);
+ header("X-Custom-Header-Bytes: …");
+ header("X-Nonexposed: unicorn");
+ header("X-Second-Expose: flyingpig");
+
+ /* Simple response headers */
+ header("Cache-Control: no-cache");
+ header("Content-Language: nn");
+ header("Expires: Thu, 01 Dec 1994 16:00:00 GMT");
+ header("Last-Modified: Thu, 01 Dec 1994 10:00:00 GMT");
+ header("Pragma: no-cache");
+
+ echo "TEST";
+?>
diff --git a/cors/resources/cors-makeheader.php b/cors/resources/cors-makeheader.php
new file mode 100644
index 00000000000000..dfc91c9fd85624
--- /dev/null
+++ b/cors/resources/cors-makeheader.php
@@ -0,0 +1,59 @@
+<?php
+
+$origin = isset($_GET['origin']) ? $_GET['origin'] : $_SERVER['HTTP_ORIGIN'];
+
+if ($origin != 'none')
+    header("Access-Control-Allow-Origin: $origin");
+if (isset($_GET['origin2']))
+    header("Access-Control-Allow-Origin: {$_GET['origin2']}", false);
+
+/* Preflight */
+if (isset($_GET['headers']))
+    header("Access-Control-Allow-Headers: {$_GET['headers']}");
+if (isset($_GET['credentials']))
+    header("Access-Control-Allow-Credentials: {$_GET['credentials']}");
+if (isset($_GET['methods']))
+    header("Access-Control-Allow-Methods: {$_GET['methods']}");
+
+$code = isset($_GET['code']) ? intval($_GET['code']) : null;
+if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
+    /* Override the response code if we're in a preflight and it's asked */
+    if (isset($_GET['preflight']))
+        $code = intval($_GET['preflight']);
+
+    /* Log that the preflight actually happened if we have an ident */
+    if (isset($_GET['ident']))
+        include("log.php");
+}
+
+if (isset($_GET['location']))
+{
+    if ($code === null)
+    	$code = 302;
+
+    if ($code < 400 and $code > 299)
+    {
+        header("Location: {$_GET['location']}", true, $code);
+        die("Redirecting");
+    }
+}
+
+foreach ($_SERVER as $name => $value)
+{
+    if (substr($name, 0, 5) == 'HTTP_')
+    {
+        $name = strtolower(str_replace('_', '-', substr($name, 5)));
+        $headers[$name] = $value;
+    } else if ($name == "CONTENT_TYPE") {
+        $headers["content-type"] = $value;
+    } else if ($name == "CONTENT_LENGTH") {
+        $headers["content-length"] = $value;
+    }
+}
+
+$headers['get_value'] = isset($_GET['get_value']) ? $_GET['get_value'] : '';
+
+if ($code)
+    header("HTTP/1.1 {$code} StatusText");
+
+echo json_encode( $headers );
diff --git a/cors/resources/log.php b/cors/resources/log.php
new file mode 100755
index 00000000000000..c5205105d5d803
--- /dev/null
+++ b/cors/resources/log.php
@@ -0,0 +1,27 @@
+<?php
+  $file_name = 'logs.txt';
+  $ident = isset($_GET['ident']) ? $_GET['ident'] : NULL;
+  $buffer = '';
+  $obj;
+
+  $file = fopen($file_name, 'c+');
+
+  if (filesize($file_name))
+  {
+    $buffer = fread($file, filesize($file_name));
+
+    if ($buffer)
+      $obj = json_decode($buffer);
+  }
+
+  if (isset($ident))
+    if (!$obj->$ident)
+      $obj->$ident = true;
+
+  $buffer = json_encode($obj);
+
+  rewind($file);
+  ftruncate($file, 0);
+  fwrite($file, $buffer);
+  fclose($file);
+?>
diff --git a/cors/resources/preflight.php b/cors/resources/preflight.php
new file mode 100755
index 00000000000000..8547106312bd23
--- /dev/null
+++ b/cors/resources/preflight.php
@@ -0,0 +1,20 @@
+<?php
+header("Content-Type: text/plain");
+
+if($_SERVER['REQUEST_METHOD'] == 'OPTIONS')
+{
+    if(!isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
+	die("ERROR: No access-control-request-method in preflight!");
+
+    header("Access-Control-Allow-Headers: x-print, " .
+            "{$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
+
+    if (isset($_GET['max_age']))
+        header("Access-Control-Max-Age: {$_GET['max_age']}");
+
+    include("log.php");
+}
+header("Access-Control-Allow-Origin: *");
+
+$p = isset($_SERVER['HTTP_X_PRINT']) ? $_SERVER['HTTP_X_PRINT'] : "NO";
+echo $p;
diff --git a/cors/resources/remote-xhrer.html b/cors/resources/remote-xhrer.html
new file mode 100644
index 00000000000000..73a7cb444ffb5f
--- /dev/null
+++ b/cors/resources/remote-xhrer.html
@@ -0,0 +1,28 @@
+<!doctype html>
+<title>Child helper</title>
+
+<script>
+window.addEventListener("message", function(e) {
+//    e.source.postMessage(e.data, e.origin);
+
+    var client = new XMLHttpRequest();
+    var localurl = e.data.url
+                    .replace("<host>", location.host)
+                    .replace("<protocol>", location.protocol);
+
+    client.open('GET', localurl, true);
+    client.onload = function() {
+        e.data.state = "load";
+        e.data.response = client.response;
+        e.source.postMessage(e.data, e.origin);
+    }
+    client.onerror = function() {
+        e.data.state = "error";
+        e.data.response = client.response;
+        e.source.postMessage(e.data, e.origin);
+    }
+    client.send();
+});
+</script>
+
+The remote window
diff --git a/cors/resources/status.php b/cors/resources/status.php
new file mode 100755
index 00000000000000..b6cae2e5bc0457
--- /dev/null
+++ b/cors/resources/status.php
@@ -0,0 +1,40 @@
+<?php
+
+  header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
+  header("Access-Control-Expose-Headers: X-Request-Method");
+  if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS')
+    header("Access-Control-Allow-Methods: GET, CHICKEN, HEAD, POST, PUT");
+  if (isset($_GET['headers']))
+    header("Access-Control-Allow-Headers: {$_GET['headers']}");
+  header("X-Request-Method: " .
+    (isset($_SERVER["REQUEST_METHOD"]) ? $_SERVER["REQUEST_METHOD"] : ""));
+  header("X-A-C-Request-Method: " .
+    (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"])
+      ? $_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"] : ""));
+
+  // Hack for PHP
+  function stripslashes_recursive($var) {
+    foreach($var as $i => $value)
+      $var[$i] = stripslashes($value);
+    return $var;
+  }
+  if(get_magic_quotes_gpc()) {
+    $_GET = stripslashes_recursive($_GET);
+  }
+
+  // This should reasonably work for most response codes.
+  $code = isset($_GET['code']) && ctype_digit($_GET["code"]) ? $_GET["code"] : "200";
+  $text = isset($_GET["text"]) ? $_GET["text"] : "OMG";
+
+  if (isset($_GET['preflight'])
+      && ctype_digit($_GET['preflight'])
+      && $_SERVER['REQUEST_METHOD'] == 'OPTIONS')
+    $code = $_GET['preflight'];
+
+  header("HTTP/1.1 " . $code . " " . $text);
+
+  if (isset($_GET['type']))
+    header("Content-Type:" . $_GET['type']);
+  if (isset($_GET["content"]))
+    echo $_GET['content'];
+?>
diff --git a/cors/response-headers.htm b/cors/response-headers.htm
new file mode 100644
index 00000000000000..65037744fa3043
--- /dev/null
+++ b/cors/response-headers.htm
@@ -0,0 +1,103 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - Response headers</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Response headers</h1>
+<div id=log></div>
+<script>
+
+/*
+ * Response Headers
+ */
+
+function check_response_header(head, value, desc) {
+    test(function() {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN + 'resources/cors-headers.php', false)
+        client.send(null)
+
+        if (typeof value === 'function')
+            value(client, head)
+        else
+            assert_equals(client.getResponseHeader(head), value, head)
+    },
+    desc)
+}
+check_response_header('X-Custom-Header-Comma', '1, 2', 'getResponseHeader: Expose Access-Control-Expose-Headers (x-custom-header-comma)')
+check_response_header('X-Second-Expose', 'flyingpig', 'getResponseHeader: Expose second Access-Control-Expose-Headers (x-second-expose)')
+check_response_header(' x-custom-header', null, 'getResponseHeader: Don\'t trim whitespace')
+check_response_header('x-custom-header-bytes', "\xE2\x80\xA6", 'getResponseHeader: x-custom-header bytes')
+check_response_header('Date',
+    function(client, head) { assert_true(client.getResponseHeader(head).length > 2) },
+    'getResponseHeader: Exposed server field readable (Date)')
+
+function default_readable(head, value) {
+    check_response_header(head, value, 'getResponseHeader: '+head+': readable by default')
+}
+default_readable("Cache-Control", "no-cache");
+default_readable("Content-Language", "nn");
+default_readable("Expires", "Thu, 01 Dec 1994 16:00:00 GMT");
+default_readable("Last-Modified", "Thu, 01 Dec 1994 10:00:00 GMT");
+default_readable("Pragma", "no-cache");
+
+
+function default_unreadable(head) {
+    check_response_header(head, null, 'getResponseHeader: '+head+': unreadable by default')
+}
+default_unreadable("Server")
+default_unreadable("X-Powered-By")
+
+
+async_test("getResponseHeader: Combined testing of cors response headers")
+.step(function()
+{
+    var client = new XMLHttpRequest();
+    client.open("GET", CROSSDOMAIN + 'resources/cors-headers.php')
+    window.c=client;
+    client.onreadystatechange = this.step_func(function()
+    {
+        if (client.readyState == 1)
+        {
+            assert_equals(client.getResponseHeader("x-custom-header"), null, 'x-custom-header')
+        }
+        if (client.readyState > 1)
+        {
+            assert_equals(client.getResponseHeader("x-custom-header"), "test", 'x-custom-header')
+            assert_equals(client.getResponseHeader("x-custom-header-empty"), "", 'x-custom-header-empty')
+            assert_equals(client.getResponseHeader("set-cookie"), null)
+            assert_equals(client.getResponseHeader("set-cookie2"), null)
+            assert_equals(client.getResponseHeader("x-non-existent-header"), null)
+            assert_equals(client.getResponseHeader("x-nonexposed"), null)
+        }
+        if (client.readyState == 4)
+        {
+            this.done()
+        }
+    })
+    client.send()
+})
+
+test(function() {
+    var client = new XMLHttpRequest()
+    client.open('GET', CROSSDOMAIN + 'resources/cors-headers.php', false)
+    client.send(null)
+    assert_equals(client.getResponseHeader("x-custom-header"), "test", 'x-custom-header')
+    assert_equals(client.getResponseHeader("x-nonexposed"), null, 'x-nonexposed')
+}, "getResponse: don't expose x-nonexposed")
+
+test(function() {
+    var client = new XMLHttpRequest()
+    client.open('GET', CROSSDOMAIN + 'resources/cors-headers.php', false)
+    client.send(null)
+
+    h = client.getAllResponseHeaders().toLowerCase()
+    assert_true( h.indexOf('x-custom-header') >= 0, 'x-custom-header present')
+    assert_true( h.indexOf('x-nonexposed') === -1, 'x-nonexposed not present')
+}, "getAllResponseHeaders: don't expose x-nonexposed")
+
+</script>
diff --git a/cors/simple-requests.htm b/cors/simple-requests.htm
new file mode 100644
index 00000000000000..7cef0af7704b89
--- /dev/null
+++ b/cors/simple-requests.htm
@@ -0,0 +1,90 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - simple requests</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Simple requests</h1>
+<p>Simple requests shouldn't trigger preflight</p>
+
+<div id=log></div>
+<script>
+
+var test_c = 0;
+
+function check_simple(method, headers)
+{
+    test(function() {
+        var time = new Date().getTime(),
+            client = new XMLHttpRequest()
+        test_c++
+        client.open(method, CROSSDOMAIN + 'resources/preflight.php?ident='
+                            + test_c + time, false)
+        for (head in headers)
+            client.setRequestHeader(head, headers[head])
+        client.send("data")
+        assert_equals(client.getResponseHeader('content-type'), "text/plain")
+        if (method == 'HEAD')
+            assert_equals(client.response, '', 'response')
+        else
+            assert_equals(client.response, 'NO', 'response')
+
+        client.open('GET', 'resources/checkandremovefromlog.php?ident='
+                          + test_c + time, false)
+        client.send("data")
+        assert_equals(client.response, "0", "Found preflight log")
+    },
+    'No preflight ' + method + ' and ' + JSON.stringify(headers))
+}
+
+function check_simple_headers(headers) {
+    check_simple('GET', headers)
+    check_simple('HEAD', headers)
+    check_simple('POST', headers)
+}
+
+check_simple_headers({'Accept': 'test'})
+check_simple_headers({'accept-language': 'test'})
+check_simple_headers({'CONTENT-language': 'test'})
+
+check_simple_headers({'Content-Type': 'application/x-www-form-urlencoded'})
+check_simple_headers({'content-type': 'multipart/form-data'})
+check_simple_headers({'content-type': 'text/plain'})
+
+check_simple_headers({
+                        'accept': 'test',
+                        'accept-language': 'test',
+                        'content-language': 'test',
+                        'content-type': 'text/plain; parameter=whatever'
+                     })
+
+check_simple('Get', {'content-type': 'text/plain; parameter=extra_bonus'})
+check_simple('post', {'content-type': 'text/plain'})
+
+
+/* Extra async test */
+
+var simple_async = async_test("Check simple headers (async)")
+simple_async.step(function (){
+    var time = new Date().getTime(),
+        client = new XMLHttpRequest()
+    client.open('POST', CROSSDOMAIN + 'resources/preflight.php?ident='
+                        + time, true)
+
+    client.setRequestHeader('Accept', 'jewelry')
+    client.setRequestHeader('accept-language', 'nn_NO,nn,en')
+    client.setRequestHeader('content-type', 'text/plain; parameter=extra')
+    client.setRequestHeader('content-Language', 'nn_NO')
+
+    client.onload = simple_async.step_func(function() {
+        assert_equals(client.getResponseHeader('content-type'), "text/plain", 'content-type response header')
+        assert_equals(client.response, 'NO', 'response')
+        simple_async.done()
+    })
+    client.onerror = simple_async.step_func(function () { assert_unreached('onerror') })
+    client.send()
+})
+</script>
diff --git a/cors/status-async.htm b/cors/status-async.htm
new file mode 100644
index 00000000000000..872c47aaf97e16
--- /dev/null
+++ b/cors/status-async.htm
@@ -0,0 +1,112 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - status</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Status returned</h1>
+
+<div id=log></div>
+<script>
+setup({timeout: 30000})
+
+function statusRequest(method, code, text, content, type) {
+    async_test("Status on " + method + " " + code, { timeout: 15000 })
+    .step(function() {
+        var client = new XMLHttpRequest()
+        client.open(method, CROSSDOMAIN + "resources/status.php?code="
+            + code + "&text=" + text + "&content=" + content + "&type=" + type, true)
+        client.onreadystatechange = this.step_func(function() {
+            if (client.readyState != client.DONE)
+                return
+
+            assert_equals(client.status, code, 'response status')
+            assert_equals(client.statusText, text, 'response status text')
+            assert_equals(client.getResponseHeader("X-Request-Method"), method, 'method')
+            if(method != "HEAD") {
+                if(type == "text/xml") {
+                    assert_equals(client.responseXML.documentElement.localName,
+                                "x", 'responseXML')
+                }
+                assert_equals(client.response, content, 'response content')
+            }
+            this.done()
+        })
+
+        client.send(null)
+    })
+}
+
+  /*            method     code text  content        type */
+  statusRequest("GET",     200, 'OK', 'Not today.',  '')
+  statusRequest("POST",    200, 'OK', '<x>402<\/x>', 'text/xml')
+  statusRequest("HEAD",    200, 'OK', 'Nice!',       'text/doesnotmatter')
+  statusRequest("PUT",     200, 'OK', '400',         'text/plain')
+  statusRequest("CHICKEN", 200, 'OK', 'bah',         '')
+
+
+function statusRequest2(method, code, expect_code, nonsimple) {
+    if (expect_code === undefined)
+        expect_code = code
+
+    async_test("Status on " + method + " " + code + (nonsimple?' (nonsimple)':''), { timeout: 15000 })
+    .step(function() {
+        var client = new XMLHttpRequest()
+
+        client.open(method, CROSSDOMAIN + "resources/status.php?code="
+          + code + '&headers=x-nonsimple&text=OHAI', true)
+
+        if (nonsimple)
+            client.setRequestHeader('x-nonsimple', true)
+
+        client.onreadystatechange = this.step_func(function() {
+            if (client.readyState < client.HEADERS_RECIEVED)
+                return
+            assert_equals(client.response, "", "response data")
+            assert_equals(client.status, expect_code, "response status")
+            /* Response code 200 forces webserver to send OK(?) */
+            if(expect_code == 200)
+                assert_equals(client.statusText, "OK", "response statusText")
+            else
+                assert_equals(client.statusText, (expect_code == 0 ? "" : "OHAI"), "response statusText")
+            if (client.readyState == client.DONE)
+                this.done()
+        })
+
+        client.onerror = this.step_func(function(e) {
+            assert_unreached("Got error event.")
+        })
+
+        client.send()
+    })
+}
+
+  /*                                 expect
+                    method     code  status */
+  statusRequest2("GET",     201)
+  statusRequest2("GET",     204)
+  statusRequest2("GET",     299)
+  statusRequest2("GET",     400)
+  statusRequest2("HEAD",    401)
+  statusRequest2("POST",    404)
+  statusRequest2("POST",    500)
+
+  /* Preflight response status is not 200, so the algorithm set status to 0. */
+  statusRequest2("PUT",     699,  0)
+  statusRequest2("CHICKEN", 501,  0)
+
+  /*                                 preflight */
+  statusRequest2("GET",     201,  0, true)
+  statusRequest2("GET",     203,  0, true)
+  statusRequest2("GET",     204,  0, true)
+  statusRequest2("GET",     299,  0, true)
+  statusRequest2("GET",     400,  0, true)
+  statusRequest2("HEAD",    401,  0, true)
+  statusRequest2("POST",    404,  0, true)
+  statusRequest2("PUT",     699,  0, true)
+  statusRequest2("CHICKEN", 501,  0, true)
+
+</script>
diff --git a/cors/status-preflight.htm b/cors/status-preflight.htm
new file mode 100644
index 00000000000000..96613060306f6f
--- /dev/null
+++ b/cors/status-preflight.htm
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - status after preflight</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Status after preflight</h1>
+
+<div id=log></div>
+<script>
+var counter = 0
+
+function statusAfterPreflight(method, code) {
+    counter++
+
+    async_test(document.title + " on " + method + " " + code).step(function() {
+        var client = new XMLHttpRequest()
+        client.open(method, CROSSDOMAIN + "resources/status.php?" + counter
+            +"&code=" + code + '&headers=x-nonsimple&preflight=200', true)
+
+        client.setRequestHeader('x-nonsimple', true)
+        client.onreadystatechange = this.step_func(function() {
+            assert_equals(client.response, "", "response data")
+            assert_equals(client.status, code, "response status")
+            if (client.readyState == client.DONE)
+                /* Wait for spurious error events */
+                setTimeout(this.step_func(function() { this.done() }), 10)
+        })
+
+        client.onerror = this.step_func(function() {
+            assert_unreached("Shouldn't throw no error event!")
+        })
+
+        client.send()
+    })
+}
+
+/*                   method     code */
+statusAfterPreflight("GET",     200)
+statusAfterPreflight("GET",     204)
+statusAfterPreflight("GET",     400)
+statusAfterPreflight("GET",     401)
+
+statusAfterPreflight("HEAD",    200)
+statusAfterPreflight("HEAD",    204)
+statusAfterPreflight("HEAD",    400)
+statusAfterPreflight("HEAD",    401)
+statusAfterPreflight("HEAD",    501)
+statusAfterPreflight("HEAD",    699)
+
+statusAfterPreflight("POST",    204)
+statusAfterPreflight("POST",    400)
+statusAfterPreflight("POST",    401)
+statusAfterPreflight("POST",    404)
+
+statusAfterPreflight("PUT",     699)
+statusAfterPreflight("CHICKEN", 501)
+
+</script>
diff --git a/cors/status.htm b/cors/status.htm
new file mode 100644
index 00000000000000..f8e08ba985554f
--- /dev/null
+++ b/cors/status.htm
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS status</title>
+<meta name=help href=http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request-with-preflight-0>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support.js"></script>
+
+<h1>The returned status code in different scenarios</h1>
+
+<script>
+
+    var counter = 0
+
+    function testit(allow, preflight, response, status) {
+        async_test(
+            (++counter) + '. ' +
+            (allow ? 'CORS allowed' : 'CORS disallowed') +
+            (preflight ? ', preflight status '+preflight : '') +
+            (response ? ', response status '+response : '') +
+            '.'
+        ).step(function() {
+            var client = new XMLHttpRequest()
+            client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.php?' + counter +
+                (allow ? '&headers=x-custom': '&origin=none') +
+                (response ? '&code='+response : '') +
+                (preflight ? '&preflight='+preflight : '')
+            )
+
+            if (preflight)
+                client.setRequestHeader('X-Custom', 'preflight')
+
+            client.onload = this.step_func(function() {
+                if (!status)
+                    assert_unreached("load event")
+
+                /* Allow spurious error events to fire */
+                setTimeout(this.step_func(function() {
+                    assert_equals(client.status, status, "status")
+                    this.done()
+                }), 10)
+            })
+
+            client.onerror = this.step_func(function() {
+                if (status)
+                    assert_unreached("error event")
+
+                assert_equals(client.readyState, client.DONE, 'readyState')
+                assert_equals(client.status, 0, 'status')
+                this.done()
+            })
+
+            client.send()
+
+        })
+    }
+
+    /*     allow  pref  resp  status */
+    testit(false, null, 400,  0)
+    testit(false, 200,  null, 0)
+    testit(true,  null, 400,  400)
+    testit(true,  200,  400,  400)
+    testit(true,  400,  null, 0)
+
+</script>
+
+<pre>
+   allowed  preflight  response  | status |
+   -------  ---------  --------  | ------ |
+ 1      no          x       400  |      0 |
+ 2      no        200         x  |      0 |
+ 3     yes          x       400  |    400 |
+ 4     yes        200       400  |    400 |
+ 5     yes        400         x  |      0 |
+</pre>
+
+<div id=log></div>
+
diff --git a/cors/support.js b/cors/support.js
new file mode 100644
index 00000000000000..795f9a30da3886
--- /dev/null
+++ b/cors/support.js
@@ -0,0 +1,29 @@
+// For ignoring exception names (just for testing)
+/*
+_real_assert_throws = assert_throws;
+function assert_throws(d, func, desc) {
+    try {
+        func();
+    } catch(e) {
+        return true;
+    }
+    assert_unreached("Didn't throw!");
+}
+*/
+
+function dirname(path) {
+    return path.replace(/\/[^\/]*$/, '/')
+}
+
+/* This subdomain should point to this same location */
+var SUBDOMAIN = 'www1'
+var SUBDOMAIN2 = 'www2'
+var PORT = '81'
+var PORTS = '83' // w3c actually has no 'alternate' https port
+
+/* Changes http://example.com/abc/def/cool.htm to http://www1.example.com/abc/def/ */
+var CROSSDOMAIN     = dirname(location.href)
+                        .replace('://', '://' + SUBDOMAIN + '.')
+var REMOTE_HOST     = SUBDOMAIN + '.' + location.host
+var REMOTE_PROTOCOL = location.protocol
+var REMOTE_ORIGIN   = REMOTE_PROTOCOL + '//' + REMOTE_HOST
diff --git a/cors/testrunner.html b/cors/testrunner.html
new file mode 100644
index 00000000000000..01d3a4c90e2faa
--- /dev/null
+++ b/cors/testrunner.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html lang=en>
+<meta charset=UTF-8>
+<title>Web tests</title>
+<link rel=stylesheet href=/resources/test-runner/runner.css>
+<script src=/resources/test-runner/runner.js></script>
+
+<p><button value=./>Run tests in this dir</button>

From c03f38d2ea03c25db17d5277bda3b7a7639af349 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Odin=20H=C3=B8rthe=20Omdal?= <odinho@opera.com>
Date: Fri, 30 Aug 2013 19:03:54 +0200
Subject: [PATCH 2/3] CORS: Use async XHR instead of sync for withCredentials

---
 cors/credentials-flag.htm | 111 ++++++++++++++++++++++----------------
 1 file changed, 64 insertions(+), 47 deletions(-)

diff --git a/cors/credentials-flag.htm b/cors/credentials-flag.htm
index 6e83da69510b16..2f1f21185b6b81 100644
--- a/cors/credentials-flag.htm
+++ b/cors/credentials-flag.htm
@@ -18,72 +18,89 @@ <h1>CORS - Access-Control-Allow-Credentials</h1>
  */
 // XXX Do some https tests here as well
 test(function () {
-    var id = new Date().getTime(),
+    var client = new XMLHttpRequest()
+    client.open('GET', CROSSDOMAIN, false)
+    assert_throws(null, function() { client.withCredentials = true; }, 'setting withCredentials')
+}, 'Setting withCredentials on a sync XHR object should throw')
+
+async_test(function () {
+    var id = new Date().getTime() + '_1',
         client = new XMLHttpRequest()
-    client.open("GET", url + id, false)
+    client.open("GET", url + id, true)
+    client.onload = this.step_func(function() {
+        assert_equals(client.response, "NO_COOKIE")
+        client.open("GET", url + id, true)
+        client.onload = this.step_func(function() {
+            assert_equals(client.response, "NO_COOKIE")
+            this.done()
+        })
+        client.send(null)
+    })
     client.send(null)
-    assert_equals(client.response, "NO_COOKIE");
 
-    client.open("GET", url + id, false)
-    client.send(null)
-    assert_equals(client.response, "NO_COOKIE")
 }, "Don't send cookie by default");
 
-test(function () {
-    var id = new Date().getTime(),
+async_test(function () {
+    var id = new Date().getTime() + '_2',
         client = new XMLHttpRequest()
 
-    client.open("GET", url + id, false)
-    client.withCredentials = true
-    client.send(null)
-    assert_equals(client.response, "NO_COOKIE");
-
-    /* We have cookie, but the browser shouldn't send */
-    client.open("GET", url + id, false)
-    client.withCredentials = false
-    client.send(null)
-    assert_equals(client.response, "NO_COOKIE")
-
-    /* Reads and deletes the cookie */
-    client.open("GET", url + id, false)
+    client.open("GET", url + id, true)
     client.withCredentials = true
+    client.onload = this.step_func(function() {
+        assert_equals(client.response, "NO_COOKIE");
+
+        /* We have cookie, but the browser shouldn't send */
+        client.open("GET", url + id, true)
+        client.withCredentials = false
+        client.onload = this.step_func(function() {
+            assert_equals(client.response, "NO_COOKIE")
+
+            /* Reads and deletes the cookie */
+            client.open("GET", url + id, true)
+            client.withCredentials = true
+            client.onload = this.step_func(function() {
+                assert_equals(client.response, "COOKIE")
+                this.done()
+            })
+            client.send(null)
+        })
+        client.send(null)
+    })
     client.send(null)
-    assert_equals(client.response, "COOKIE")
 }, "Don't send cookie part 2");
 
-test(function () {
-    var id = new Date().getTime(),
+async_test(function () {
+    var id = new Date().getTime() + '_3',
         client = new XMLHttpRequest()
 
     /* Shouldn't set the response cookie */
-    client.open("GET", url + id, false)
+    client.open("GET", url + id, true)
     client.withCredentials = false
+    client.onload = this.step_func(function() {
+        console.log(client.response + '_', client.response)
+        assert_equals(client.response, "NO_COOKIE", "first");
+
+        /* Sets the cookie */
+        client.open("GET", url + id, true)
+        client.withCredentials = true
+        client.onload = this.step_func(function() {
+            assert_equals(client.response, "NO_COOKIE", "second")
+
+            /* Reads and deletes the cookie */
+            client.open("GET", url + id, true)
+            client.withCredentials = true
+            client.onload = this.step_func(function() {
+                assert_equals(client.response, "COOKIE", "third")
+                this.done()
+            })
+            client.send(null)
+        })
+        client.send(null)
+    })
     client.send(null)
-    assert_equals(client.response, "NO_COOKIE");
-
-    /* Sets the cookie */
-    client.open("GET", url + id, false)
-    client.withCredentials = true
-    client.send(null)
-    assert_equals(client.response, "NO_COOKIE")
-
-    /* Reads and deletes the cookie */
-    client.open("GET", url + id, false)
-    client.withCredentials = true
-    client.send(null)
-    assert_equals(client.response, "COOKIE")
 }, "Don't obey Set-Cookie when withCredentials=false");
 
 function test_response_header(allow) {
-    test(function () {
-        var client = new XMLHttpRequest()
-        client.open('GET',
-            CROSSDOMAIN + 'resources/cors-makeheader.php?credentials=' + allow,
-            false)
-        client.withCredentials = true;
-        assert_throws(null, function() { client.send() }, 'send')
-    }, 'Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (sync)')
-
     var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)')
     resp_test.step(function() {
         var client = new XMLHttpRequest()

From e44df070f5adfb5e8a035f62eb32b434aa53735c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Odin=20H=C3=B8rthe=20Omdal?= <odinho@opera.com>
Date: Fri, 30 Aug 2013 19:09:24 +0200
Subject: [PATCH 3/3] CORS: Don't check response code on OPENED status

---
 cors/status-async.htm     | 2 +-
 cors/status-preflight.htm | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/cors/status-async.htm b/cors/status-async.htm
index 872c47aaf97e16..6dddba1a0bdbff 100644
--- a/cors/status-async.htm
+++ b/cors/status-async.htm
@@ -63,7 +63,7 @@ <h1>Status returned</h1>
             client.setRequestHeader('x-nonsimple', true)
 
         client.onreadystatechange = this.step_func(function() {
-            if (client.readyState < client.HEADERS_RECIEVED)
+            if (client.readyState < client.HEADERS_RECEIVED)
                 return
             assert_equals(client.response, "", "response data")
             assert_equals(client.status, expect_code, "response status")
diff --git a/cors/status-preflight.htm b/cors/status-preflight.htm
index 96613060306f6f..42cc4f85e1c47c 100644
--- a/cors/status-preflight.htm
+++ b/cors/status-preflight.htm
@@ -23,6 +23,8 @@ <h1>Status after preflight</h1>
 
         client.setRequestHeader('x-nonsimple', true)
         client.onreadystatechange = this.step_func(function() {
+            if (client.readyState < client.HEADERS_RECEIVED)
+                return
             assert_equals(client.response, "", "response data")
             assert_equals(client.status, code, "response status")
             if (client.readyState == client.DONE)