Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cors: Add the Opera CORS tests #112

Merged
merged 3 commits into from
Aug 30, 2013
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions cors/MANIFEST
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
allow-headers.htm
basic.htm
credentials-flag.htm
origin.htm
preflight-cache.htm
redirect-origin.htm
redirect-preflight-2.htm
redirect-preflight.htm
redirect-userinfo.htm
remote-origin.htm
request-headers.htm
response-headers.htm
simple-requests.htm
status-async.htm
status-preflight.htm
status.htm
89 changes: 89 additions & 0 deletions cors/allow-headers.htm
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
<!DOCTYPE html>
<meta charset=utf-8>
<title>Access-Control-Allow-Headers handling</title>
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js></script>

<h1>Access-Control-Allow-Headers handling</h1>

<div id=log></div>

<script>

/*
* Origin header
*/
function shouldPass(origin) {
test(function () {
var client = new XMLHttpRequest()
client.open('GET', CROSSDOMAIN
+ '/resources/cors-makeheader.php?origin='
+ encodeURIComponent(origin),
false)
client.send()
r = JSON.parse(client.response)
var host = location.protocol + "//" + location.host
assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
}, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'));
}

shouldPass('*');
shouldPass(' * ');
shouldPass(' *');
shouldPass(location.protocol + "//" + location.host);
shouldPass(" "+location.protocol + "//" + location.host);
shouldPass(" "+location.protocol + "//" + location.host + " ");
shouldPass(" "+location.protocol + "//" + location.host);


function shouldFail(origin) {
test(function () {
var client = new XMLHttpRequest()
client.open('GET', CROSSDOMAIN
+ '/resources/cors-makeheader.php?origin='
+ encodeURIComponent(origin),
false)
assert_throws(null, function() { client.send() }, 'send')
}, 'Disallow origin: ' + origin);
}

shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
shouldFail("//" + location.host)
shouldFail("://" + location.host)
shouldFail("ftp://" + location.host)
shouldFail("http:://" + location.host)
shouldFail("http:/" + location.host)
shouldFail("http:" + location.host)
shouldFail(location.host)
shouldFail(location.protocol + "//" + location.host + "?")
shouldFail(location.protocol + "//" + location.host + "/")
shouldFail(location.protocol + "//" + location.host + " /")
shouldFail(location.protocol + "//" + location.host + "#")
shouldFail(location.protocol + "//" + location.host + "%23")
shouldFail(location.protocol + "//" + location.host + ":80")
shouldFail(location.protocol + "//" + location.host + ", *")
shouldFail(location.protocol + "//" + location.host + "\0")
shouldFail((location.protocol + "//" + location.host).toUpperCase())
shouldFail(location.protocol.toUpperCase() + "//" + location.host)
shouldFail("-")
shouldFail("**")
shouldFail("\0*")
shouldFail("*\0")
shouldFail("'*'")
shouldFail('"*"')
shouldFail("* *")
shouldFail("*" + location.protocol + "//" + "*")
shouldFail("*" + location.protocol + "//" + location.host)
shouldFail("* " + location.protocol + "//" + location.host)
shouldFail("*, " + location.protocol + "//" + location.host)
shouldFail("\0" + location.protocol + "//" + location.host)
shouldFail("null " + location.protocol + "//" + location.host)
shouldFail('http://example.net')
shouldFail('null')
shouldFail('')
shouldFail(location.href)
shouldFail(dirname(location.href))
shouldFail(CROSSDOMAIN)

</script>
71 changes: 71 additions & 0 deletions cors/basic.htm
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<!DOCTYPE html>
<meta charset=utf-8>
<title>Basic CORS</title>
<meta name=help href=http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#simple-cross-origin-request-0>
<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">

<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js></script>
<div id=log></div>

<script>

var counter = 0;

function cors(desc, url) {
async_test(desc).step(function() {
var client = new XMLHttpRequest();
this.count = counter++;

client.open("GET", url + "resources/cors-makeheader.php?get_value=hest_er_best&origin=none&" + this.count);

client.onreadystatechange = this.step_func(function(e) {
// First request, test that it fails with no origin
if (client.readyState < 4) return;
if (!url)
assert_true(client.response.indexOf("hest_er_best") != -1, "Got response");
else
assert_false(!!client.response, "Got CORS-disallowed response");

client = new XMLHttpRequest();
client.open("GET", url + "resources/cors-makeheader.php?get_value=hest_er_best&" + this.count);
client.onreadystatechange = this.step_func(function(e) {
// Second request, test that it passes with the allowed-origin
if (client.readyState < 4) return;
assert_true(client.response.indexOf("hest_er_best") != -1, "Got CORS-allowed response");
this.done();
});
client.send();
});
client.send();
});
}

cors("Same domain basic usage", "");
cors("Cross domain basic usage", CROSSDOMAIN);
cors("Same domain different port",
"http://" + location.hostname + ":" + PORT + dirname(location.pathname));

cors("Cross domain different port",
"http://" + SUBDOMAIN + "." + location.hostname + ":"
+ PORT + dirname(location.pathname));

/* These require HTTPS setup, so will often fail locally */
cors("Same domain different protocol",
'https://' + location.host + dirname(location.pathname));

cors("Cross domain different protocol",
CROSSDOMAIN.replace("http:", "https:"));

/* W3C has no "alternative" port for HTTPS. So turn these tests off.

cors("Same domain different protocol different port",
"https://" + location.hostname + ":" + PORTS + dirname(location.pathname));

cors("Cross domain different protocol different port",
"https://" + SUBDOMAIN + "." + location.hostname + ":"
+ PORTS + dirname(location.pathname));
*/

</script>
129 changes: 129 additions & 0 deletions cors/credentials-flag.htm
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
<!DOCTYPE html>
<title>CORS - Access-Control-Allow-Credentials</title>
<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">

<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js></script>

<h1>CORS - Access-Control-Allow-Credentials</h1>
<div id=log></div>
<script>

var url = CROSSDOMAIN + 'resources/cors-cookie.php?ident='


/*
* widthCredentials
*/
// XXX Do some https tests here as well
test(function () {
var client = new XMLHttpRequest()
client.open('GET', CROSSDOMAIN, false)
assert_throws(null, function() { client.withCredentials = true; }, 'setting withCredentials')
}, 'Setting withCredentials on a sync XHR object should throw')

async_test(function () {
var id = new Date().getTime() + '_1',
client = new XMLHttpRequest()
client.open("GET", url + id, true)
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE")
client.open("GET", url + id, true)
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE")
this.done()
})
client.send(null)
})
client.send(null)

}, "Don't send cookie by default");

async_test(function () {
var id = new Date().getTime() + '_2',
client = new XMLHttpRequest()

client.open("GET", url + id, true)
client.withCredentials = true
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE");

/* We have cookie, but the browser shouldn't send */
client.open("GET", url + id, true)
client.withCredentials = false
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE")

/* Reads and deletes the cookie */
client.open("GET", url + id, true)
client.withCredentials = true
client.onload = this.step_func(function() {
assert_equals(client.response, "COOKIE")
this.done()
})
client.send(null)
})
client.send(null)
})
client.send(null)
}, "Don't send cookie part 2");

async_test(function () {
var id = new Date().getTime() + '_3',
client = new XMLHttpRequest()

/* Shouldn't set the response cookie */
client.open("GET", url + id, true)
client.withCredentials = false
client.onload = this.step_func(function() {
console.log(client.response + '_', client.response)
assert_equals(client.response, "NO_COOKIE", "first");

/* Sets the cookie */
client.open("GET", url + id, true)
client.withCredentials = true
client.onload = this.step_func(function() {
assert_equals(client.response, "NO_COOKIE", "second")

/* Reads and deletes the cookie */
client.open("GET", url + id, true)
client.withCredentials = true
client.onload = this.step_func(function() {
assert_equals(client.response, "COOKIE", "third")
this.done()
})
client.send(null)
})
client.send(null)
})
client.send(null)
}, "Don't obey Set-Cookie when withCredentials=false");

function test_response_header(allow) {
var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)')
resp_test.step(function() {
var client = new XMLHttpRequest()
client.open('GET',
CROSSDOMAIN + 'resources/cors-makeheader.php?credentials=' + allow,
true)
client.withCredentials = true;
client.onload = resp_test.step_func(function() {
assert_unreached("onload")
})
client.onerror = resp_test.step_func(function () {
assert_equals(client.readyState, client.DONE, 'readyState')
resp_test.done()
})
client.send()
})
}

test_response_header('TRUE')
test_response_header('True')
test_response_header('"true"')
test_response_header('false')
test_response_header('1')
test_response_header('0')

</script>
Loading