web-platform-tests · hillbrad · Aug 29, 2013
diff --git a/cors/MANIFEST b/cors/MANIFEST
@@ -0,0 +1,13 @@
+basic.htm
+credentials-flag.htm
+origin.htm
+preflight-cache.htm
+redirect-origin.htm
+redirect-preflight.htm
+remote-origin.htm
+request-headers.htm
+response-headers.htm
+simple-requests.htm
+status-async.htm
+status-preflight.htm
+status.htm
diff --git a/cors/basic.htm b/cors/basic.htm
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Basic CORS</title>
+<meta name=help href=http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#simple-cross-origin-request-0>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+<div id=log></div>
+
+<script>
+
+var counter = 0;
+
+function cors(desc, url) {
+    async_test(desc).step(function() {
+        var client = new XMLHttpRequest();
+        this.count = counter++;
+
+        client.open("GET", url + "resources/cors-makeheader.php?get_value=hest_er_best&origin=none&" + this.count);
+
+        client.onreadystatechange = this.step_func(function(e) {
+            // First request, test that it fails with no origin
+            if (client.readyState < 4) return;
+            if (!url)
+                assert_true(client.response.indexOf("hest_er_best") != -1, "Got response");
+            else
+                assert_false(!!client.response, "Got CORS-disallowed response");
+
+            client = new XMLHttpRequest();
+            client.open("GET", url + "resources/cors-makeheader.php?get_value=hest_er_best&" + this.count);
+            client.onreadystatechange = this.step_func(function(e) {
+                // Second request, test that it passes with the allowed-origin
+                if (client.readyState < 4) return;
+                assert_true(client.response.indexOf("hest_er_best") != -1, "Got CORS-allowed response");
+                this.done();
+            });
+            client.send();
+        });
+        client.send();
+    });
+}
+
+cors("Same domain basic usage", "");
+cors("Cross domain basic usage", CROSSDOMAIN);
+cors("Same domain different port",
+        "http://" + location.hostname + ":" + PORT + dirname(location.pathname));
+
+cors("Cross domain different port",
+        "http://" + SUBDOMAIN + "." + location.hostname + ":"
+        + PORT + dirname(location.pathname));
+
+/* These require HTTPS setup, so will often fail locally */
+cors("Same domain different protocol",
+        'https://' + location.host + dirname(location.pathname));
+
+cors("Cross domain different protocol",
+        CROSSDOMAIN.replace("http:", "https:"));
+
+/* W3C has no "alternative" port for HTTPS. So turn these tests off.
+
+cors("Same domain different protocol different port",
+        "https://" + location.hostname + ":" + PORTS + dirname(location.pathname));
+
+cors("Cross domain different protocol different port",
+        "https://" + SUBDOMAIN + "." + location.hostname + ":"
+        + PORTS + dirname(location.pathname));
+*/
+
+</script>
diff --git a/cors/credentials-flag.htm b/cors/credentials-flag.htm
@@ -0,0 +1,112 @@
+<!DOCTYPE html>
+<title>CORS - Access-Control-Allow-Credentials</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>CORS - Access-Control-Allow-Credentials</h1>
+<div id=log></div>
+<script>
+
+var url = CROSSDOMAIN + 'resources/cors-cookie.php?ident='
+
+
+/*
+ * widthCredentials
+ */
+// XXX Do some https tests here as well
+test(function () {
+    var id = new Date().getTime(),
+        client = new XMLHttpRequest()
+    client.open("GET", url + id, false)
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE");
+
+    client.open("GET", url + id, false)
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE")
+}, "Don't send cookie by default");
+
+test(function () {
+    var id = new Date().getTime(),
+        client = new XMLHttpRequest()
+
+    client.open("GET", url + id, false)
+    client.withCredentials = true
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE");
+
+    /* We have cookie, but the browser shouldn't send */
+    client.open("GET", url + id, false)
+    client.withCredentials = false
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE")
+
+    /* Reads and deletes the cookie */
+    client.open("GET", url + id, false)
+    client.withCredentials = true
+    client.send(null)
+    assert_equals(client.response, "COOKIE")
+}, "Don't send cookie part 2");
+
+test(function () {
+    var id = new Date().getTime(),
+        client = new XMLHttpRequest()
+
+    /* Shouldn't set the response cookie */
+    client.open("GET", url + id, false)
+    client.withCredentials = false
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE");
+
+    /* Sets the cookie */
+    client.open("GET", url + id, false)
+    client.withCredentials = true
+    client.send(null)
+    assert_equals(client.response, "NO_COOKIE")
+
+    /* Reads and deletes the cookie */
+    client.open("GET", url + id, false)
+    client.withCredentials = true
+    client.send(null)
+    assert_equals(client.response, "COOKIE")
+}, "Don't obey Set-Cookie when withCredentials=false");
+
+function test_response_header(allow) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET',
+            CROSSDOMAIN + 'resources/cors-makeheader.php?credentials=' + allow,
+            false)
+        client.withCredentials = true;
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (sync)')
+
+    var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)')
+    resp_test.step(function() {
+        var client = new XMLHttpRequest()
+        client.open('GET',
+            CROSSDOMAIN + 'resources/cors-makeheader.php?credentials=' + allow,
+            true)
+        client.withCredentials = true;
+        client.onload = resp_test.step_func(function() {
+            assert_unreached("onload")
+        })
+        client.onerror = resp_test.step_func(function () {
+            assert_equals(client.readyState, client.DONE, 'readyState')
+            resp_test.done()
+        })
+        client.send()
+    })
+}
+
+test_response_header('TRUE')
+test_response_header('True')
+test_response_header('"true"')
+test_response_header('false')
+test_response_header('1')
+test_response_header('0')
+
+</script>
diff --git a/cors/origin.htm b/cors/origin.htm
@@ -0,0 +1,119 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Access-Control-Allow-Origin handling</title>
+<meta name=help href=http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Access-Control-Allow-Origin handling</h1>
+
+<div id=log></div>
+
+<script>
+
+/*
+ * Origin header
+ */
+function shouldPass(origin) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin),
+                    false)
+        client.send()
+        r = JSON.parse(client.response)
+        var host = location.protocol + "//" + location.host
+        assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
+    }, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'));
+}
+
+shouldPass('*');
+shouldPass(' *  ');
+shouldPass('	*');
+shouldPass(location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host + "   	 ");
+shouldPass("	"+location.protocol + "//" + location.host);
+
+
+function shouldFail(origin) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin),
+                    false)
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Disallow origin: ' + origin.replace(/\0/g, "\\0"));
+}
+
+shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
+shouldFail("//" + location.host)
+shouldFail("://" + location.host)
+shouldFail("ftp://" + location.host)
+shouldFail("http:://" + location.host)
+shouldFail("http:/" + location.host)
+shouldFail("http:" + location.host)
+shouldFail(location.host)
+shouldFail(location.protocol + "//" + location.host + "?")
+shouldFail(location.protocol + "//" + location.host + "/")
+shouldFail(location.protocol + "//" + location.host + " /")
+shouldFail(location.protocol + "//" + location.host + "#")
+shouldFail(location.protocol + "//" + location.host + "%23")
+shouldFail(location.protocol + "//" + location.host + ":80")
+shouldFail(location.protocol + "//" + location.host + ", *")
+shouldFail(location.protocol + "//" + location.host + "\0")
+shouldFail((location.protocol + "//" + location.host).toUpperCase())
+shouldFail(location.protocol.toUpperCase() + "//" + location.host)
+shouldFail("-")
+shouldFail("**")
+shouldFail("\0*")
+shouldFail("*\0")
+shouldFail("'*'")
+shouldFail('"*"')
+shouldFail("* *")
+shouldFail("* null")
+shouldFail("*" + location.protocol + "//" + "*")
+shouldFail("*" + location.protocol + "//" + location.host)
+shouldFail("* " + location.protocol + "//" + location.host)
+shouldFail("*, " + location.protocol + "//" + location.host)
+shouldFail("\0" + location.protocol + "//" + location.host)
+shouldFail("null " + location.protocol + "//" + location.host)
+shouldFail('http://example.net')
+shouldFail('null')
+shouldFail('null *')
+shouldFail('')
+shouldFail(location.href)
+shouldFail(dirname(location.href))
+shouldFail(CROSSDOMAIN)
+shouldFail(location.host.replace(/^[^\.]+\./, ""))
+shouldFail("." + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("*." + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("http://" + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("http://." + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("http://*." + location.host.replace(/^[^\.]+\./, ""))
+
+function doubleOrigin(origin, origin2) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin)
+                            + '&origin2=' + encodeURIComponent(origin2),
+                    false)
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Disallow multiple headers (' + origin + ', ' + origin2 + ')');
+}
+
+doubleOrigin('', '*');
+doubleOrigin('*', '');
+doubleOrigin('*', '*');
+doubleOrigin('', location.protocol + "//" + location.host);
+doubleOrigin('*', location.protocol + "//" + location.host);
+doubleOrigin(location.protocol + "//" + location.host, location.protocol + "//" + location.host);
+
+</script>