tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

origin.htm (4709B)

      1 <!DOCTYPE html>
      2 <meta charset=utf-8>
      3 <title>Access-Control-Allow-Origin handling</title>
      4 <meta name="timeout" content="long">
      5 <link rel=help href=https://fetch.spec.whatwg.org/>
      6 <meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
      7 
      8 <script src=/resources/testharness.js></script>
      9 <script src=/resources/testharnessreport.js></script>
     10 <script src=support.js?pipe=sub></script>
     11 
     12 <h1>Access-Control-Allow-Origin handling</h1>
     13 
     14 <div id=log></div>
     15 
     16 <script>
     17 
     18 /*
     19 * Origin header
     20 */
     21 function shouldPass(origin) {
     22    test(function () {
     23        var client = new XMLHttpRequest()
     24        client.open('GET', CROSSDOMAIN
     25                            + '/resources/cors-makeheader.py?origin='
     26                            + encodeURIComponent(origin),
     27                    false)
     28        client.send()
     29        r = JSON.parse(client.response)
     30        var host = location.protocol + "//" + location.host
     31        assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
     32    }, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'));
     33 }
     34 
     35 shouldPass('*');
     36 shouldPass(' *  ');
     37 shouldPass('	*');
     38 shouldPass(location.protocol + "//" + location.host);
     39 shouldPass(" "+location.protocol + "//" + location.host);
     40 shouldPass(" "+location.protocol + "//" + location.host + "   	 ");
     41 shouldPass("	"+location.protocol + "//" + location.host);
     42 
     43 
     44 function shouldFail(origin) {
     45    test(function () {
     46        var client = new XMLHttpRequest()
     47        client.open('GET', CROSSDOMAIN
     48                            + '/resources/cors-makeheader.py?origin='
     49                            + encodeURIComponent(origin),
     50                    false)
     51        assert_throws_dom("NetworkError", function() { client.send() }, 'send')
     52    }, 'Disallow origin: ' + origin.replace(/\0/g, "\\0"));
     53 }
     54 
     55 shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
     56 shouldFail("//" + location.host)
     57 shouldFail("://" + location.host)
     58 shouldFail("ftp://" + location.host)
     59 shouldFail("http:://" + location.host)
     60 shouldFail("http:/" + location.host)
     61 shouldFail("http:" + location.host)
     62 shouldFail(location.host)
     63 shouldFail(location.protocol + "//" + location.host + "?")
     64 shouldFail(location.protocol + "//" + location.host + "/")
     65 shouldFail(location.protocol + "//" + location.host + " /")
     66 shouldFail(location.protocol + "//" + location.host + "#")
     67 shouldFail(location.protocol + "//" + location.host + "%23")
     68 shouldFail(location.protocol + "//" + location.host + ":80")
     69 shouldFail(location.protocol + "//" + location.host + ", *")
     70 shouldFail(location.protocol + "//" + location.host + "\0")
     71 shouldFail((location.protocol + "//" + location.host).toUpperCase())
     72 shouldFail(location.protocol.toUpperCase() + "//" + location.host)
     73 shouldFail("-")
     74 shouldFail("**")
     75 shouldFail(",*");
     76 shouldFail("*,");
     77 shouldFail("\0*")
     78 shouldFail("\u000B*");
     79 shouldFail("\u000C*");
     80 shouldFail("*\0")
     81 shouldFail("*\u000B");
     82 shouldFail("*\u000C");
     83 shouldFail("'*'")
     84 shouldFail('"*"')
     85 shouldFail("* *")
     86 shouldFail("* null")
     87 shouldFail("*" + location.protocol + "//" + "*")
     88 shouldFail("*" + location.protocol + "//" + location.host)
     89 shouldFail("* " + location.protocol + "//" + location.host)
     90 shouldFail("*, " + location.protocol + "//" + location.host)
     91 shouldFail("\0" + location.protocol + "//" + location.host)
     92 shouldFail("null " + location.protocol + "//" + location.host)
     93 shouldFail('http://example.net')
     94 shouldFail('null')
     95 shouldFail('null *')
     96 shouldFail('')
     97 shouldFail(location.href)
     98 shouldFail(dirname(location.href))
     99 shouldFail(CROSSDOMAIN)
    100 shouldFail(location.host.replace(/^[^\.]+\./, ""))
    101 shouldFail("." + location.host.replace(/^[^\.]+\./, ""))
    102 shouldFail("*." + location.host.replace(/^[^\.]+\./, ""))
    103 shouldFail("http://" + location.host.replace(/^[^\.]+\./, ""))
    104 shouldFail("http://." + location.host.replace(/^[^\.]+\./, ""))
    105 shouldFail("http://*." + location.host.replace(/^[^\.]+\./, ""))
    106 
    107 function doubleOrigin(origin, origin2) {
    108    test(function () {
    109        var client = new XMLHttpRequest()
    110        client.open('GET', CROSSDOMAIN
    111                            + '/resources/cors-makeheader.py?origin='
    112                            + encodeURIComponent(origin)
    113                            + '&origin2=' + encodeURIComponent(origin2),
    114                    false)
    115        assert_throws_dom("NetworkError", function() { client.send() }, 'send')
    116    }, 'Disallow multiple headers (' + origin + ', ' + origin2 + ')');
    117 }
    118 
    119 doubleOrigin('', '*');
    120 doubleOrigin('*', '');
    121 doubleOrigin('*', '*');
    122 doubleOrigin('', location.protocol + "//" + location.host);
    123 doubleOrigin('*', location.protocol + "//" + location.host);
    124 doubleOrigin(location.protocol + "//" + location.host, location.protocol + "//" + location.host);
    125 
    126 </script>