-
Notifications
You must be signed in to change notification settings - Fork 54
/
cors-safelisted-request-header.any.js
43 lines (40 loc) · 1.61 KB
/
cors-safelisted-request-header.any.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
// META: script=support.js?pipe=sub
// META: script=/common/utils.js
// This is based on simple-requests.htm, with modifications to make the code more modern and test
// more esoteric cases of header value parsing.
function safelist(headers, expectPreflight = false) {
promise_test(async t => {
const uuid = token(),
url = CROSSDOMAIN + "resources/preflight.py?token=" + uuid,
checkURL = "resources/preflight.py?check&token=" + uuid,
request = () => fetch(url, { method: "POST", headers, body: "data" });
if (expectPreflight) {
await promise_rejects_js(t, TypeError, request());
} else {
const response = await request();
assert_equals(response.headers.get("content-type"), "text/plain");
assert_equals(await response.text(), "NO");
}
const checkResponse = await fetch(checkURL, { method: "POST", body: "data" });
assert_equals(await checkResponse.text(), (expectPreflight ? "1" : "0"));
}, (expectPreflight ? "Preflight" : "No preflight") + " for " + JSON.stringify(headers));
}
[
["text /plain", true],
["text\t/\tplain", true],
["text/plain;"],
["text/plain;garbage"],
["text/plain;garbage\u0001\u0002", true],
["text/plain,", true],
[",text/plain", true],
["text/plain,text/plain", true],
["text/plain,x/x", true],
["text/plain\u000B", true],
["text/plain\u000C", true],
["application/www-form-urlencoded", true],
["application/x-www-form-urlencoded;\u007F", true],
["multipart/form-data"],
["multipart/form-data;\"", true]
].forEach(([mimeType, preflight = false]) => {
safelist({"content-type": mimeType}, preflight);
})