Add tests validating that Authorization headers get dropped on cross …

…origin redirections

For whatwg/fetch#1544.

fetch/api/credentials/authentication-redirection.any.js

@@ -0,0 +1,26 @@
+// META: global=window,worker
+// META: script=/common/get-host-info.sub.js
+
+const authorizationValue = "Basic " + btoa("user:pass");
+async function getAuthorizationHeaderValue(url)
+{
+  const headers = { "Authorization": authorizationValue};
+  const requestInit = {"headers": headers};
+  const response = await fetch(url, requestInit);
+  return response.text();
+}
+
+promise_test(async test => {
+  const result = await getAuthorizationHeaderValue("/fetch/api/resources/dump-authorization-header.py");
+  assert_equals(result, authorizationValue);
+}, "getAuthorizationHeaderValue - no redirection");
+
+promise_test(async test => {
+  const result = await getAuthorizationHeaderValue("/fetch/api/resources/redirect.py?location=" + encodeURIComponent("/fetch/api/resources/dump-authorization-header.py"));
+  assert_equals(result, authorizationValue);
+}, "getAuthorizationHeaderValue - same origin redirection");
+
+promise_test(async (test) => {
+  const result = await getAuthorizationHeaderValue(get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/api/resources/redirect.py?allow_headers=Authorization&location=" + encodeURIComponent(get_host_info().HTTP_ORIGIN + "/fetch/api/resources/dump-authorization-header.py"));
+  assert_equals(result, "none");
+}, "getAuthorizationHeaderValue - cross origin redirection");

fetch/api/resources/dump-authorization-header.py

@@ -0,0 +1,14 @@
+def main(request, response):
+    headers = [(b"Content-Type", "text/html"),
+               (b"Cache-Control", b"no-cache")]
+
+    if b"Origin" in request.headers:
+        headers.append((b"Access-Control-Allow-Origin", request.headers.get(b"Origin", b"")))
+        headers.append((b"Access-Control-Allow-Credentials", b"true"))
+    else:
+        headers.append((b"Access-Control-Allow-Origin", b"*"))
+    headers.append((b"Access-Control-Allow-Headers", b'Authorization'))
+
+    if b"authorization" in request.headers:
+        return 200, headers, request.headers.get(b"Authorization")
+    return 200, headers, "none"

xhr/xhr-authorization-redirect.any.js

@@ -0,0 +1,28 @@
+// META: global=window,worker
+// META: script=/common/get-host-info.sub.js
+
+const authorizationValue = "Basic " + btoa("user:pass");
+function getAuthorizationHeaderValue(url)
+{
+  var client = new XMLHttpRequest();
+  client.open("GET", url, false);
+  client.setRequestHeader("Authorization", authorizationValue);
+  const promise = new Promise(resolve => client.onloadend = () => resolve(client.responseText));
+  client.send();
+  return promise;
+}
+
+promise_test(async test => {
+  const result = await getAuthorizationHeaderValue("/fetch/api/resources/dump-authorization-header.py");
+  assert_equals(result, authorizationValue);
+}, "getAuthorizationHeaderValue - no redirection");
+
+promise_test(async test => {
+  const result = await getAuthorizationHeaderValue("/fetch/api/resources/redirect.py?location=" + encodeURIComponent("/fetch/api/resources/dump-authorization-header.py"));
+  assert_equals(result, authorizationValue);
+}, "getAuthorizationHeaderValue - same origin redirection");
+
+promise_test(async (test) => {
+  const result = await getAuthorizationHeaderValue(get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/api/resources/redirect.py?allow_headers=Authorization&location=" + encodeURIComponent(get_host_info().HTTP_ORIGIN + "/fetch/api/resources/dump-authorization-header.py"));
+  assert_equals(result, "none");
+}, "getAuthorizationHeaderValue - cross origin redirection");