304.htm (3415B)
1 <!DOCTYPE html> 2 <meta charset=utf-8> 3 <title>CORS - 304 Responses</title> 4 <meta name="timeout" content="long"> 5 <meta name=author title="Mark Nottingham" href="mailto:mnot@mnot.net"> 6 7 <script src=/resources/testharness.js></script> 8 <script src=/resources/testharnessreport.js></script> 9 <script src=support.js?pipe=sub></script> 10 11 <h1>CORS - 304 Responses</h1> 12 <div id=log></div> 13 <script> 14 15 16 /* 17 * 304 Responses 18 */ 19 20 // A header used to correlate requests and responses 21 var state_header = "content-language" 22 23 /* Make a request; call ready(client) when done */ 24 function req(url, id, t, ready) { 25 var client = new XMLHttpRequest() 26 client.open('GET', url, true) 27 client.setRequestHeader(state_header, id) 28 client.send() 29 client.onreadystatechange = function() { 30 if (client.readyState == client.DONE) { 31 t.step(function() { 32 assert_not_equals(client.status, 299, "req " + id + " server says: " + client.responseText) 33 }) 34 ready(client) 35 } 36 } 37 return client 38 } 39 40 /* 41 * Make two requests to test cache behaviour. 42 * The second is made after the first is done and a delay, to make sure it gets into cache. 43 */ 44 function two_reqs(id1, id2, should_have_same_body, t, done) { 45 var rand = Date.now() 46 var url = CROSSDOMAIN + 'resources/304.py?id=' + id1 + '&r=%s' + rand 47 48 var client1 = req(url, id1, t, function(client1) { 49 t.step(function() { 50 assert_equals(client1.response, "Success", "didn't get successful 1st response;") 51 assert_equals(client1.getResponseHeader(state_header), id1, "1st response didn't come from server;") 52 }) 53 54 t.step_timeout(function() { 55 req(url, id2, t, function(client2) { 56 t.step(function() { 57 if (should_have_same_body) { 58 assert_equals(client1.response, client2.response, "response bodies were different;") 59 // var res_id2 = client2.getResponseHeader(state_header) 60 // assert_not_equals(res_id2, id1, "2nd response doesn't appear to have updated cached headers;") 61 // assert_not_equals(res_id2, null, "2nd response didn't expose request identifier;") 62 // assert_equals(res_id2, id2, "2nd response is associated with a different request (!);") 63 } 64 done(client1, client2) 65 }) 66 t.done() 67 }) 68 }, 5000) 69 }) 70 } 71 72 async_test(function(t) { 73 two_reqs('1', '2', true, t, function(client1, client2) { 74 assert_equals(client1.getResponseHeader("A"), null, "'A' header exposed without permission;") 75 }) 76 }, "A 304 response with no CORS headers inherits from the stored response") 77 78 async_test(function(t) { 79 two_reqs('3', '4', true, t, function(client1, client2) { 80 assert_equals(client2.getResponseHeader("A"), "4", "304 didn't expose 'A' header, even though allowed;") 81 assert_equals(client2.getResponseHeader("B"), "4", "304 didn't expose 'B' header even though allowed;") 82 }) 83 }, "A 304 can expand Access-Control-Expose-Headers") 84 85 async_test(function(t) { 86 two_reqs('5', '6', true, t, function(client1, client2) { 87 assert_equals(client2.getResponseHeader("B"), null, "2nd 304 exposed 'B' header;") 88 }) 89 }, "A 304 can contract Access-Control-Expose-Headers") 90 91 async_test(function(t) { 92 two_reqs('7', '8', false, t, function(client1, client2) { 93 assert_not_equals(client1.response, client2.response, "Access granted even though 304 updated it to disallow;") 94 }) 95 }, "A 304 can change Access-Control-Allow-Origin") 96 97 98 </script>