mirror of
https://github.com/servo/servo
synced 2026-04-28 18:37:39 +02:00
62 lines
2.8 KiB
HTML
62 lines
2.8 KiB
HTML
<!doctype html>
|
|
<html>
|
|
<head>
|
|
<title>XMLHttpRequest: send() - "Basic" authenticated CORS request using setRequestHeader() but not setting withCredentials (expects to succeed)</title>
|
|
<script src="/resources/testharness.js"></script>
|
|
<script src="/resources/testharnessreport.js"></script>
|
|
<script src="/common/utils.js"></script>
|
|
<!-- These spec references do not make much sense simply because the spec doesn't say very much about this.. -->
|
|
<link rel="help" href="https://xhr.spec.whatwg.org/#the-setrequestheader()-method" data-tested-assertations="following::ol[1]/li[6]" />
|
|
<link rel="help" href="https://xhr.spec.whatwg.org/#the-send()-method" data-tested-assertations="following::code[contains(@title,'http-authorization')]/.." />
|
|
</head>
|
|
<body>
|
|
<div id="log"></div>
|
|
<script>
|
|
function doTest(desc, pathsuffix, conditionsFunc, errorFunc, endFunc) {
|
|
var test = async_test(desc)
|
|
test.step(function() {
|
|
var client = new XMLHttpRequest(),
|
|
urlstart = location.host + location.pathname.replace(/\/[^\/]*$/, '/'),
|
|
user = token()
|
|
client.open("GET", location.protocol + "//www1." + urlstart + "resources/" + pathsuffix, false)
|
|
client.setRequestHeader("x-user", user)
|
|
client.setRequestHeader("x-pass", 'pass')
|
|
client.setRequestHeader("Authorization", "Basic " + btoa(user + ":pass"))
|
|
client.onerror = test.step_func(errorFunc)
|
|
client.onreadystatechange = test.step_func(function () {
|
|
if(client.readyState < 4) {return}
|
|
conditionsFunc(client, test, user)
|
|
})
|
|
if(endFunc) {
|
|
client.onloadend = test.step_func(endFunc)
|
|
}
|
|
client.send(null)
|
|
})
|
|
}
|
|
|
|
doTest("CORS request with setRequestHeader auth to URL accepting Authorization header", "auth7/corsenabled.py", function (client, test, user) {
|
|
assert_true(client.responseText == (user + "\npass"), "responseText should contain the right user and password")
|
|
assert_equals(client.status, 200)
|
|
assert_equals(client.getResponseHeader("x-challenge"), "DID-NOT")
|
|
test.done()
|
|
}, function(){
|
|
assert_unreached("Cross-domain request is permitted and should not cause an error")
|
|
this.done()
|
|
})
|
|
|
|
var errorFired = false;
|
|
doTest("CORS request with setRequestHeader auth to URL NOT accepting Authorization header", "auth8/corsenabled-no-authorize.py", function (client, test, user) {
|
|
assert_equals(client.responseText, '')
|
|
assert_equals(client.status, 0)
|
|
}, function(e){
|
|
errorFired = true
|
|
assert_equals(e.type, 'error', 'Error event fires when Authorize is a user-set header but not allowed by the CORS endpoint')
|
|
}, function() {
|
|
assert_true(errorFired, 'The error event should fire')
|
|
this.done()
|
|
})
|
|
|
|
</script>
|
|
</body>
|
|
</html>
|