tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

credentials-flag.htm (4376B)

      1 <!DOCTYPE html>
      2 <title>CORS - Access-Control-Allow-Credentials</title>
      3 <meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
      4 
      5 <script src=/resources/testharness.js></script>
      6 <script src=/resources/testharnessreport.js></script>
      7 <script src=support.js?pipe=sub></script>
      8 
      9 <h1>CORS - Access-Control-Allow-Credentials</h1>
     10 <div id=log></div>
     11 <script>
     12 
     13 var url = CROSSDOMAIN + 'resources/cors-cookie.py?ident='
     14 
     15 
     16 /*
     17 * widthCredentials
     18 */
     19 // XXX Do some https tests here as well
     20 
     21 test(function () {
     22    var client = new XMLHttpRequest()
     23    client.open('GET', CROSSDOMAIN, false)
     24    client.withCredentials = true;
     25 }, 'Setting withCredentials on a sync XHR object should not throw')
     26 
     27 async_test(function () {
     28    var id = new Date().getTime() + '_1',
     29        client = new XMLHttpRequest()
     30    client.open("GET", url + id, true)
     31    client.onload = this.step_func(function() {
     32        assert_equals(client.response, "NO_COOKIE")
     33        client.open("GET", url + id, true)
     34        client.onload = this.step_func(function() {
     35            assert_equals(client.response, "NO_COOKIE")
     36            this.done()
     37        })
     38        client.send(null)
     39    })
     40    client.send(null)
     41 
     42 }, "Don't send cookie by default");
     43 
     44 async_test(function () {
     45    var id = new Date().getTime() + '_2',
     46        client = new XMLHttpRequest()
     47 
     48    client.open("GET", url + id, true)
     49    client.withCredentials = true
     50    client.onload = this.step_func(function() {
     51        assert_equals(client.response, "NO_COOKIE", "No cookie in initial request");
     52 
     53        /* We have cookie, but the browser shouldn't send */
     54        client.open("GET", url + id, true)
     55        client.withCredentials = false
     56        client.onload = this.step_func(function() {
     57            assert_equals(client.response, "NO_COOKIE", "No cookie after withCredentials=false sync request")
     58 
     59            /* Reads and deletes the cookie */
     60            client.open("GET", url + id, true)
     61            client.withCredentials = true
     62            client.onload = this.step_func(function() {
     63                assert_equals(client.response, "COOKIE", "Cookie sent in withCredentials=true sync request")
     64                this.done()
     65            })
     66            client.send(null)
     67        })
     68        client.send(null)
     69    })
     70    client.send(null)
     71 }, "Don't send cookie part 2");
     72 
     73 async_test(function () {
     74    var id = new Date().getTime() + '_3',
     75        client = new XMLHttpRequest()
     76 
     77    /* Shouldn't set the response cookie */
     78    client.open("GET", url + id, true)
     79    client.withCredentials = false
     80    client.onload = this.step_func(function() {
     81        assert_equals(client.response, "NO_COOKIE", "first");
     82 
     83        /* Sets the cookie */
     84        client.open("GET", url + id, true)
     85        client.withCredentials = true
     86        client.onload = this.step_func(function() {
     87            assert_equals(client.response, "NO_COOKIE", "second")
     88 
     89            /* Reads and deletes the cookie */
     90            client.open("GET", url + id, true)
     91            client.withCredentials = true
     92            client.onload = this.step_func(function() {
     93                assert_equals(client.response, "COOKIE", "third")
     94                this.done()
     95            })
     96            client.send(null)
     97        })
     98        client.send(null)
     99    })
    100    client.send(null)
    101 }, "Don't obey Set-Cookie when withCredentials=false");
    102 
    103 function test_response_header(allow) {
    104    var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)')
    105    resp_test.step(function() {
    106        var client = new XMLHttpRequest()
    107        client.open('GET',
    108            CROSSDOMAIN + 'resources/cors-makeheader.py?credentials=' + allow,
    109            true)
    110        client.withCredentials = true;
    111        client.onload = resp_test.step_func(function() {
    112            assert_unreached("onload")
    113        })
    114        client.onerror = resp_test.step_func(function () {
    115            assert_equals(client.readyState, client.DONE, 'readyState')
    116            resp_test.done()
    117        })
    118        client.send()
    119    })
    120 }
    121 
    122 test_response_header('TRUE')
    123 test_response_header('True')
    124 test_response_header('"true"')
    125 test_response_header("'true'");
    126 test_response_header('false')
    127 test_response_header('1')
    128 test_response_header('0')
    129 test_response_header(',true');
    130 test_response_header('true,');
    131 test_response_header('true%0B');
    132 test_response_header('true%0C');
    133 
    134 </script>