Skip to content

Commit

Permalink
Bug 1802469 [wpt PR 37145] - Add tests validating that Authorization …
Browse files Browse the repository at this point in the history
…headers get dropped on cross origin redirections, a=testonly

Automatic update from web-platform-tests
Add tests validating that Authorization headers get dropped on cross origin redirections

For whatwg/fetch#1544.
--

wpt-commits: 9b1e0aacb4c5480408e1b30f9c3bfb637b4ee401
wpt-pr: 37145
  • Loading branch information
youennf authored and moz-wptsync-bot committed Dec 11, 2022
1 parent dbbaf40 commit 4c14c38
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
// META: global=window,worker
// META: script=/common/get-host-info.sub.js

const authorizationValue = "Basic " + btoa("user:pass");
async function getAuthorizationHeaderValue(url)
{
const headers = { "Authorization": authorizationValue};
const requestInit = {"headers": headers};
const response = await fetch(url, requestInit);
return response.text();
}

promise_test(async test => {
const result = await getAuthorizationHeaderValue("/fetch/api/resources/dump-authorization-header.py");
assert_equals(result, authorizationValue);
}, "getAuthorizationHeaderValue - no redirection");

promise_test(async test => {
const result = await getAuthorizationHeaderValue("/fetch/api/resources/redirect.py?location=" + encodeURIComponent("/fetch/api/resources/dump-authorization-header.py"));
assert_equals(result, authorizationValue);
}, "getAuthorizationHeaderValue - same origin redirection");

promise_test(async (test) => {
const result = await getAuthorizationHeaderValue(get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/api/resources/redirect.py?allow_headers=Authorization&location=" + encodeURIComponent(get_host_info().HTTP_ORIGIN + "/fetch/api/resources/dump-authorization-header.py"));
assert_equals(result, "none");
}, "getAuthorizationHeaderValue - cross origin redirection");
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
def main(request, response):
headers = [(b"Content-Type", "text/html"),
(b"Cache-Control", b"no-cache")]

if b"Origin" in request.headers:
headers.append((b"Access-Control-Allow-Origin", request.headers.get(b"Origin", b"")))
headers.append((b"Access-Control-Allow-Credentials", b"true"))
else:
headers.append((b"Access-Control-Allow-Origin", b"*"))
headers.append((b"Access-Control-Allow-Headers", b'Authorization'))

if b"authorization" in request.headers:
return 200, headers, request.headers.get(b"Authorization")
return 200, headers, "none"
28 changes: 28 additions & 0 deletions testing/web-platform/tests/xhr/xhr-authorization-redirect.any.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
// META: global=window,worker
// META: script=/common/get-host-info.sub.js

const authorizationValue = "Basic " + btoa("user:pass");
function getAuthorizationHeaderValue(url)
{
var client = new XMLHttpRequest();
client.open("GET", url, false);
client.setRequestHeader("Authorization", authorizationValue);
const promise = new Promise(resolve => client.onloadend = () => resolve(client.responseText));
client.send();
return promise;
}

promise_test(async test => {
const result = await getAuthorizationHeaderValue("/fetch/api/resources/dump-authorization-header.py");
assert_equals(result, authorizationValue);
}, "getAuthorizationHeaderValue - no redirection");

promise_test(async test => {
const result = await getAuthorizationHeaderValue("/fetch/api/resources/redirect.py?location=" + encodeURIComponent("/fetch/api/resources/dump-authorization-header.py"));
assert_equals(result, authorizationValue);
}, "getAuthorizationHeaderValue - same origin redirection");

promise_test(async (test) => {
const result = await getAuthorizationHeaderValue(get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/api/resources/redirect.py?allow_headers=Authorization&location=" + encodeURIComponent(get_host_info().HTTP_ORIGIN + "/fetch/api/resources/dump-authorization-header.py"));
assert_equals(result, "none");
}, "getAuthorizationHeaderValue - cross origin redirection");

0 comments on commit 4c14c38

Please sign in to comment.