1 files changed, 65 insertions, 0 deletions
diff --git a/testing/web-platform/tests/cors/redirect-preflight.htm b/testing/web-platform/tests/cors/redirect-preflight.htm
new file mode 100644
index 000000000..bb47f2cae
--- /dev/null
+++ b/testing/web-platform/tests/cors/redirect-preflight.htm
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>CORS - redirect with preflight</title>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js?pipe=sub></script>
+
+<h1>Redirect with preflight</h1>
+
+<div id=log></div>
+<script>
+
+var req_c = 0 // Request count for cache busting and easy identifying of request in traffic analyzer
+
+/*
+ * Redirection with preflights
+ */
+
+function redir_preflight(code) {
+    test(function() {
+        var client = new XMLHttpRequest(),
+            redirect = CROSSDOMAIN + 'resources/cors-makeheader.py?headers=x-test&' + req_c++
+
+        client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.py?'
+                           + 'headers=x-test&location=' + encodeURIComponent(redirect)
+                           + '&code=' + code + '&preflight=' + code + '&' + req_c++,
+                    false)
+        client.setRequestHeader('x-test', 'test')
+        assert_throws(null, function() { client.send(null) });
+
+    },
+    'Redirect ' + code + ' on preflight')
+}
+redir_preflight(301)
+redir_preflight(302)
+redir_preflight(303)
+redir_preflight(307)
+redir_preflight(308)
+
+/* Even thought the preflight was allowed (200), CORS should not follow
+   a subsequent redirect */
+function redir_after_preflight(code) {
+    test(function() {
+        var client = new XMLHttpRequest(),
+            redirect = CROSSDOMAIN + 'resources/cors-makeheader.py?headers=x-test&' + req_c++
+
+        client.open('GET', CROSSDOMAIN + 'resources/cors-makeheader.py?'
+                           + 'preflight=200&headers=x-test&location='
+                           + encodeURIComponent(redirect) + '&code=' + code + '&' + req_c++,
+                    false)
+        client.setRequestHeader('x-test', 'test')
+        assert_throws(null, function() { client.send(null) });
+
+    },
+    'Disallow redirect ' + code + ' after succesful (200) preflight')
+}
+redir_after_preflight(301)
+redir_after_preflight(302)
+redir_after_preflight(303)
+redir_after_preflight(307)
+redir_after_preflight(308)
+
+</script>