Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Porting access-control-basic-post-fail-non-simple-content-type to WPT
Bug: 745385 Change-Id: Iff8975a41dcace408427192c03087571b14bae53 Reviewed-on: https://chromium-review.googlesource.com/616482 WPT-Export-Revision: 59d6f986ae260981341a93e27854c434a633f477
- Loading branch information
1 parent
03a4dab
commit ffb718b
Showing
2 changed files
with
51 additions
and
0 deletions.
There are no files selected for viewing
42 changes: 42 additions & 0 deletions
42
XMLHttpRequest/access-control-basic-post-with-non-cors-safelisted-content-type.htm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<title>Non-CORS-safelisted value in the Content-Type header results in a request preflight</title> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
</head> | ||
<body> | ||
<script type="text/javascript"> | ||
test(function() { | ||
const xhr = new XMLHttpRequest; | ||
|
||
xhr.open("POST", get_host_info().HTTP_ORIGIN + | ||
"/XMLHttpRequest/resources/access-control-basic-options-not-supported.py", false); | ||
|
||
xhr.setRequestHeader("Content-Type", "application/xml"); | ||
|
||
xhr.send(); | ||
|
||
assert_equals(xhr.status, 200, "Cross-domain access was denied in 'send'."); | ||
}, "Same-origin request with non-safelisted content type succeeds"); | ||
|
||
test(function() { | ||
const xhr = new XMLHttpRequest; | ||
|
||
xhr.open("POST", get_host_info().HTTP_REMOTE_ORIGIN + | ||
"/XMLHttpRequest/resources/access-control-basic-options-not-supported.py", false); | ||
|
||
xhr.setRequestHeader("Content-Type", "application/xml"); | ||
|
||
try { | ||
xhr.send(); | ||
} catch(e) { | ||
assert_equals(xhr.status, 0, "Cross-domain access was denied in 'send'."); | ||
return; | ||
} | ||
assert_unreached("Cross-domain access was not denied in 'send'."); | ||
}, "CORS request with non-safelisted content type sends preflight and fails"); | ||
</script> | ||
</body> | ||
</html> |
9 changes: 9 additions & 0 deletions
9
XMLHttpRequest/resources/access-control-basic-options-not-supported.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
def main(request, response): | ||
response.headers.set("Cache-Control", "no-store") | ||
|
||
# Allow simple requests, but deny preflight | ||
if request.method != "OPTIONS": | ||
response.headers.set("Access-Control-Allow-Credentials", "true") | ||
response.headers.set("Access-Control-Allow-Origin", request.headers.get("origin")) | ||
else: | ||
response.status = 400 |