access-control-and-redirects-async.any.js (3699B)
1 // META: title=Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard. 2 // META: script=/common/get-host-info.sub.js 3 4 function runTest(test, destination, parameters, customHeader, local, expectSuccess) { 5 const xhr = new XMLHttpRequest(); 6 const url = (local ? get_host_info().HTTP_ORIGIN : get_host_info().HTTP_REMOTE_ORIGIN) + 7 "/xhr/resources/redirect-cors.py?location=" + destination + "&" + parameters; 8 9 xhr.open("GET", url, true); 10 11 if (customHeader) 12 xhr.setRequestHeader("x-test", "test"); 13 14 xhr.onload = test.step_func_done(function() { 15 assert_true(expectSuccess); 16 assert_true(xhr.responseText.startsWith("PASS")); 17 }); 18 xhr.onerror = test.step_func_done(function() { 19 assert_false(expectSuccess); 20 assert_equals(xhr.status, 0); 21 }); 22 xhr.send(); 23 } 24 25 const withCustomHeader = true; 26 const withoutCustomHeader = false; 27 const local = true; 28 const remote = false; 29 const succeeds = true; 30 const fails = false; 31 32 // Test simple cross origin requests that receive redirects. 33 34 // The redirect response fails the access check because the redirect lacks a CORS header. 35 async_test(t => { 36 runTest(t, get_host_info().HTTP_REMOTE_ORIGIN + 37 "/xhr/resources/access-control-basic-allow-star.py", "", 38 withoutCustomHeader, remote, fails) 39 }, "Request is redirected without CORS headers to a response with Access-Control-Allow-Origin=*"); 40 41 // The redirect response passes the access check. 42 async_test(t => { 43 runTest(t, get_host_info().HTTP_REMOTE_ORIGIN + 44 "/xhr/resources/access-control-basic-allow-star.py", "allow_origin=true", 45 withoutCustomHeader, remote, succeeds) 46 }, "Request is redirected to a response with Access-Control-Allow-Origin=*"); 47 48 // The redirect response fails the access check because user info was sent. 49 async_test(t => { 50 runTest(t, get_host_info().HTTP_REMOTE_ORIGIN.replace("http://", "http://username:password@") + 51 "/xhr/resources/access-control-basic-allow-star.py", "allow_origin=true", 52 withoutCustomHeader, remote, fails) 53 }, "Request with user info is redirected to a response with Access-Control-Allow-Origin=*"); 54 55 // The redirect response fails the access check because the URL scheme is unsupported. 56 async_test(t => { 57 runTest(t, "foo://bar.cgi", "allow_origin=true", withoutCustomHeader, remote, fails) 58 }, "Request is redirect to a bad URL"); 59 60 // The preflighted redirect response fails the access check because of preflighting. 61 async_test(t => { 62 runTest(t, get_host_info().HTTP_REMOTE_ORIGIN + 63 "/xhr/resources/access-control-basic-allow-star.py", 64 "allow_origin=true&redirect_preflight=true", withCustomHeader, remote, fails) 65 }, "Preflighted request is redirected to a response with Access-Control-Allow-Origin=*"); 66 67 // The preflighted redirect response fails the access check after successful preflighting. 68 async_test(t => { 69 runTest(t, get_host_info().HTTP_REMOTE_ORIGIN + 70 "/xhr/resources/access-control-basic-allow-star.py", 71 "allow_origin=true&allow_header=x-test&redirect_preflight=true", 72 withCustomHeader, remote, fails) 73 }, "Preflighted request is redirected to a response with Access-Control-Allow-Origin=* and header allowed"); 74 75 // The same-origin redirect response passes the access check. 76 async_test(t => { 77 runTest(t, get_host_info().HTTP_ORIGIN + "/xhr/resources/pass.txt", 78 "", withCustomHeader, local, succeeds) 79 }, "Request is redirected to a same-origin resource file");