tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

send-authentication-cors-setrequestheader-no-cred.htm (2909B)

      1 <!doctype html>
      2 <html>
      3  <head>
      4    <title>XMLHttpRequest: send() - "Basic" authenticated CORS request using setRequestHeader() but not setting withCredentials (expects to succeed)</title>
      5    <script src="/resources/testharness.js"></script>
      6    <script src="/resources/testharnessreport.js"></script>
      7    <script src="/common/utils.js"></script>
      8    <script src="/common/get-host-info.sub.js"></script>
      9    <!-- These spec references do not make much sense simply because the spec doesn't say very much about this.. -->
     10    <link rel="help" href="https://xhr.spec.whatwg.org/#the-setrequestheader()-method" data-tested-assertations="following::ol[1]/li[6]" />
     11    <link rel="help" href="https://xhr.spec.whatwg.org/#the-send()-method" data-tested-assertations="following::code[contains(@title,'http-authorization')]/.." />
     12  </head>
     13  <body>
     14    <div id="log"></div>
     15    <script>
     16    function doTest(desc, pathsuffix, conditionsFunc, errorFunc, endFunc) {
     17      var test = async_test(desc)
     18      test.step(function() {
     19        var client = new XMLHttpRequest(),
     20            urlstart = get_host_info().REMOTE_ORIGIN + location.pathname.replace(/\/[^\/]*$/, '/'),
     21            user = token()
     22        client.open("GET", urlstart + "resources/" + pathsuffix, false)
     23        client.setRequestHeader("x-user", user)
     24        client.setRequestHeader("x-pass", 'pass')
     25        client.setRequestHeader("Authorization", "Basic " + btoa(user + ":pass"))
     26        client.onerror = test.step_func(errorFunc)
     27        client.onreadystatechange = test.step_func(function () {
     28          if(client.readyState < 4) {return}
     29          conditionsFunc(client, test, user)
     30        })
     31        if(endFunc) {
     32          client.onloadend = test.step_func(endFunc)
     33        }
     34        client.send(null)
     35      })
     36    }
     37 
     38    doTest("CORS request with setRequestHeader auth to URL accepting Authorization header", "auth7/corsenabled.py", function (client, test, user) {
     39      assert_true(client.responseText == (user + "\npass"), "responseText should contain the right user and password")
     40      assert_equals(client.status, 200)
     41      assert_equals(client.getResponseHeader("x-challenge"), "DID-NOT")
     42      test.done()
     43    }, function(){
     44      assert_unreached("Cross-domain request is permitted and should not cause an error")
     45      this.done()
     46    })
     47 
     48    var errorFired = false;
     49    doTest("CORS request with setRequestHeader auth to URL NOT accepting Authorization header", "auth8/corsenabled-no-authorize.py", function (client, test, user) {
     50      assert_equals(client.responseText, '')
     51      assert_equals(client.status, 0)
     52    }, function(e){
     53      errorFired = true
     54      assert_equals(e.type, 'error', 'Error event fires when Authorize is a user-set header but not allowed by the CORS endpoint')
     55    }, function() {
     56      assert_true(errorFired, 'The error event should fire')
     57      this.done()
     58    })
     59 
     60    </script>
     61  </body>
     62 </html>