send-authentication-basic-setrequestheader-existing-session.htm (3233B)
1 <!doctype html> 2 <html> 3 <head> 4 <title>XMLHttpRequest: send() - "Basic" authenticated request using setRequestHeader() when there is an existing session</title> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <script src="/common/utils.js"></script> 8 <!-- These spec references do not make much sense simply because the spec doesn't say very much about this.. --> 9 <link rel="help" href="https://xhr.spec.whatwg.org/#the-setrequestheader()-method" data-tested-assertations="following::ol[1]/li[6]" /> 10 <link rel="help" href="https://xhr.spec.whatwg.org/#the-send()-method" data-tested-assertations="following::code[contains(@title,'http-authorization')]/.." /> 11 </head> 12 <body> 13 <div id="log"></div> 14 <script> 15 var test = async_test() 16 test.step(function() { 17 var client = new XMLHttpRequest(), 18 urlstart = location.host + location.pathname.replace(/\/[^\/]*$/, '/') 19 // Initial request: no information is known to the UA about whether resources/auth4/auth.py requires authentication, 20 // hence it first sends a normal request, gets a 401 response that will not be passed on to the JS, and sends a new 21 // request with an Authorization header before returning 22 // (Note: this test will only work as expected if run once per browsing session) 23 var open_user = token() 24 client.open("GET", location.protocol+'//'+urlstart + "resources/auth4/auth.py", false, open_user, 'open-pass') 25 client.setRequestHeader('X-User', open_user) 26 // initial request - this will get a 401 response and re-try with HTTP auth 27 client.send(null) 28 assert_true(client.responseText == (open_user + '\nopen-pass'), 'responseText should contain the right user and password') 29 assert_equals(client.status, 200) 30 assert_equals(client.getResponseHeader('x-challenge'), 'DID') 31 // Another request, this time user,pass is omitted and an Authorization header set explicitly 32 // Here the URL is known to require authentication (from the request above), and the UA has cached open-user:open-pass credentials 33 // However, these session credentials should now be overridden by the setRequestHeader() call so the UA should immediately 34 // send basic Authorization header with credentials user:pass. (This part is perhaps not well specified anywhere) 35 var user = token(); 36 client.open("GET", location.protocol+'//'+urlstart + "resources/auth4/auth.py", true) 37 client.setRequestHeader("x-user", user) 38 client.setRequestHeader('Authorization', 'Basic ' + btoa(user + ":pass")) 39 client.onreadystatechange = function () { 40 if (client.readyState < 4) {return} 41 test.step( function () { 42 assert_equals(client.responseText, user + '\npass') 43 assert_equals(client.status, 200) 44 assert_equals(client.getResponseHeader('x-challenge'), 'DID-NOT') 45 test.done() 46 } ) 47 } 48 client.send(null) 49 }) 50 </script> 51 <p>Note: this test will only work as expected once per browsing session. Restart browser to re-test.</p> 52 </body> 53 </html>