Add option to trigger xhr.withCredentials without http auth #2486

Merged
merged 4 commits into from Jun 30, 2014
View
@@ -35,8 +35,9 @@ An XMLHttpRequest Wrapper.
* isSuccess - (*function*) Overrides the built-in isSuccess function.
* evalScripts - (*boolean*: defaults to *false*) If set to true, `script` tags inside the response will be evaluated.
* evalResponse - (*boolean*: defaults to *false*) If set to true, the entire response will be evaluated. Responses with javascript content-type will be evaluated automatically.
-* user - (*string*: defaults to *null*) When username is set the Request will open with credentials and try to authenticate.
+* user - (*string*: defaults to *null*) The username to use for http basic authentication.
* password - (*string*: defaults to *null*) You can use this option together with the `user` option to set authentication credentials when necessary. Note that the password will be passed as plain text and is therefore readable by anyone through the source code. It is therefore encouraged to use this option carefully
+* withCredentials - (*boolean*: defaults to *false*) If set to true, xhr.withCredentials will be set to true allowing cookies/auth to be passed for cross origin requests
### Events:
@@ -34,7 +34,8 @@ var Request = this.Request = new Class({
onException: function(headerName, value){},
onTimeout: function(){},
user: '',
- password: '',*/
+ password: '',
+ withCredentials: false,*/
url: '',
data: '',
headers: {
@@ -197,7 +198,7 @@ var Request = this.Request = new Class({
}
xhr.open(method.toUpperCase(), url, this.options.async, this.options.user, this.options.password);
- if (this.options.user && 'withCredentials' in xhr) xhr.withCredentials = true;
+ if ((/*<1.4compat>*/this.options.user || /*</1.4compat>*/this.options.withCredentials) && 'withCredentials' in xhr) xhr.withCredentials = true;
xhr.onreadystatechange = this.onStateChange.bind(this);
View
@@ -135,5 +135,41 @@ describe('Request', function(){
});
+ it('should not set xhr.withCredentials flag by default', function(){
+ var request = new Request({
+ url: '/something/or/other'
+ }).send();
+
+ expect(request.xhr.withCredentials).toBe(false);
+ });
+
+ /*<1.4compat>*/
+ it('should set xhr.withCredentials flag in 1.4 for this.options.user', function(){
+ var request = new Request({
+ url: '/something/or/other',
+ user: 'someone'
+ }).send();
+
+ expect(request.xhr.withCredentials).toBe(true);
+ });
+ /*</1.4compat>*/
+ var dit = /*<1.4compat>*/xit || /*</1.4compat>*/it; // don't run unless no compat
+ dit('should not set xhr.withCredentials flag in 1.5 for this.options.user', function(){
+ var request = new Request({
+ url: '/something/or/other',
+ user: 'someone'
+ }).send();
+
+ expect(request.xhr.withCredentials).toBe(false);

This comment has been minimized.

Show comment Hide comment
@SergioCrisostomo

SergioCrisostomo Jun 30, 2014

Member

@ibolmo this is failing in some browsers with Expected undefined to be false.

Can we cast to boolean and use expect(!!request.xhr.withCredentials).toBe(false); ?

@SergioCrisostomo

SergioCrisostomo Jun 30, 2014

Member

@ibolmo this is failing in some browsers with Expected undefined to be false.

Can we cast to boolean and use expect(!!request.xhr.withCredentials).toBe(false); ?

This comment has been minimized.

Show comment Hide comment
@ccampbell

ccampbell Jun 30, 2014

Contributor

Ah, sorry, I was actually thinking about that, but all the tests passed in the build (from using the fake XHR object I suspect)

@ccampbell

ccampbell Jun 30, 2014

Contributor

Ah, sorry, I was actually thinking about that, but all the tests passed in the build (from using the fake XHR object I suspect)

This comment has been minimized.

Show comment Hide comment
@ccampbell

ccampbell Jun 30, 2014

Contributor

Could also wrap the expect in

if (request.xhr.hasOwnProperty('withCredentials')) { ...
@ccampbell

ccampbell Jun 30, 2014

Contributor

Could also wrap the expect in

if (request.xhr.hasOwnProperty('withCredentials')) { ...

This comment has been minimized.

Show comment Hide comment
@SergioCrisostomo

SergioCrisostomo Jun 30, 2014

Member

@ccampbell we have encrypted user/pass to sauce labs testing. That means pull requests are only tested against PhantomJS on Travis. We should maybe change that so that pull requests actually get tested in browsers and not only after merge.

Anyway, this is a detail, I am really happy you proposed this fix.

@SergioCrisostomo

SergioCrisostomo Jun 30, 2014

Member

@ccampbell we have encrypted user/pass to sauce labs testing. That means pull requests are only tested against PhantomJS on Travis. We should maybe change that so that pull requests actually get tested in browsers and not only after merge.

Anyway, this is a detail, I am really happy you proposed this fix.

This comment has been minimized.

Show comment Hide comment
@SergioCrisostomo

SergioCrisostomo Jun 30, 2014

Member

@ccampbell Olmo just fixed it with .toBeFalsy()
Thanks again, cheers.

@SergioCrisostomo

SergioCrisostomo Jun 30, 2014

Member

@ccampbell Olmo just fixed it with .toBeFalsy()
Thanks again, cheers.

+ });
+
+ dit('should set xhr.withCredentials flag if options.withCredentials is set', function(){
+ var request = new Request({
+ url: '/something/or/other',
+ withCredentials: true
+ }).send();
+
+ expect(request.xhr.withCredentials).toBe(true);
+ });
});