remote-origin.htm (3832B)
1 <!DOCTYPE html> 2 <meta charset=utf-8> 3 <title>Access-Control-Allow-Origin handling</title> 4 <script src=/resources/testharness.js></script> 5 <script src=/resources/testharnessreport.js></script> 6 <script src=support.js?pipe=sub></script> 7 8 <h1>Access-Control-Allow-Origin handling</h1> 9 10 <div id=log></div> 11 12 <script> 13 14 var remote_tests = []; 15 var iframe = document.createElement("iframe") 16 iframe.src = CROSSDOMAIN + 'resources/remote-xhrer.html'; 17 document.body.appendChild(iframe); 18 19 function reverseOrigin(expect_pass, origin) 20 { 21 var real_origin = origin.replace("<host>", REMOTE_HOST) 22 .replace("<remote_origin>", location.protocol + "//" + location.host) 23 .replace("<origin>", REMOTE_ORIGIN) 24 .replace("<protocol>", REMOTE_PROTOCOL) 25 .replace("<HOST>", REMOTE_HOST.toUpperCase()) 26 .replace("<ORIGIN>", REMOTE_ORIGIN.toUpperCase()) 27 .replace("<PROTOCOL>", REMOTE_PROTOCOL.toUpperCase()); 28 29 var t = async_test((expect_pass ? 'Allow origin: ' : 'Disallow origin: ') + real_origin 30 .replace(/\0/g, "\\0") 31 .replace(/\t/g, "[tab]") 32 .replace(/ /g, '_')); 33 t.step(function() { 34 this.test_url = dirname(location.href) 35 + 'resources/cors-makeheader.py?origin=' 36 + encodeURIComponent(real_origin); 37 iframe.contentWindow.postMessage({ url: this.test_url, origin: origin }, "*"); 38 }); 39 40 if (expect_pass) 41 { 42 t.callback = t.step_func(function(e) { 43 assert_equals(e.state, "load"); 44 r = JSON.parse(e.response) 45 assert_equals(r['origin'], REMOTE_ORIGIN, 'Request Origin: should be ' + REMOTE_ORIGIN) 46 this.done(); 47 }); 48 } 49 else 50 { 51 t.callback = t.step_func(function(e) { 52 assert_equals(e.state, "error"); 53 assert_equals(e.response, ""); 54 this.done(); 55 }); 56 } 57 58 remote_tests[origin] = t; 59 } 60 61 function shouldPass(origin) { reverseOrigin(true, origin); } 62 function shouldFail(origin) { reverseOrigin(false, origin); } 63 64 65 iframe.onload = function() { 66 shouldPass('*'); 67 shouldPass(' * '); 68 shouldPass(' *'); 69 shouldPass("<origin>"); 70 shouldPass(" <origin>"); 71 shouldPass(" <origin> "); 72 shouldPass(" <origin>"); 73 74 shouldFail("<remote_origin>") 75 shouldFail("//" + "<host>") 76 shouldFail("://" + "<host>") 77 shouldFail("ftp://" + "<host>") 78 shouldFail("http:://" + "<host>") 79 shouldFail("http:/" + "<host>") 80 shouldFail("http:" + "<host>") 81 shouldFail("<host>") 82 shouldFail("<origin>" + "?") 83 shouldFail("<origin>" + "/") 84 shouldFail("<origin>" + " /") 85 shouldFail("<origin>" + "#") 86 shouldFail("<origin>" + "%23") 87 shouldFail("<origin>" + ":80") 88 shouldFail("<origin>" + ", *") 89 shouldFail("<origin>" + "\0") 90 shouldFail(("<ORIGIN>")) 91 shouldFail("<PROTOCOL>//<host>") 92 shouldFail("<protocol>//<HOST>") 93 shouldFail("-") 94 shouldFail("**") 95 shouldFail("\0*") 96 shouldFail("*\0") 97 shouldFail("'*'") 98 shouldFail('"*"') 99 shouldFail("* *") 100 shouldFail("*" + "<protocol>" + "//" + "*") 101 shouldFail("*" + "<origin>") 102 shouldFail("* " + "<origin>") 103 shouldFail("*, " + "<origin>") 104 shouldFail("\0" + "<origin>") 105 shouldFail("null " + "<origin>") 106 shouldFail('http://example.net') 107 shouldFail('null') 108 shouldFail('') 109 shouldFail(location.href) 110 shouldFail(dirname(location.href)) 111 shouldFail(CROSSDOMAIN) 112 } 113 114 window.addEventListener("message", function(e) { 115 remote_tests[e.data.origin].callback(e.data); 116 }); 117 118 add_completion_callback(function() { 119 iframe.parentElement.removeChild(iframe); 120 }); 121 </script>