1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
<!doctype html>
<html>
<head>
<title>XMLHttpRequest: send() - "Basic" authenticated requests with competing user name/password options</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<link rel="help" href="https://xhr.spec.whatwg.org/#the-open()-method" data-tested-assertations="following::ol[1]/li[9]/ol[1]/li[1] following::ol[1]/li[9]/ol[1]/li[2]" />
<link rel="help" href="https://xhr.spec.whatwg.org/#the-send()-method" data-tested-assertations="following::code[contains(@title,'http-authorization')]/.." /> </head>
<body>
<div id="log"></div>
<script>
function request(user1, pass1, user2, pass2, name) {
// user1, pass1 will if given become userinfo part of URL
// user2, pass2 will if given be passed to open() call
test(function() {
var client = new XMLHttpRequest(),
urlstart = "", userwin, passwin
// if user2 is set, winning user name and password is 2
if(user2)
userwin = user2, passwin = pass2
// if user1 is set, and user2 is not set, user1 and pass1 win
if(user1 && ! user2)
userwin = user1, passwin = pass1
// if neither user name is set, pass 2 wins (there will be no userinfo in URL)
if (!(user1 || user2))
passwin = pass2
if(user1) { // should add userinfo to URL (there is no way to create userinfo part of URL with only password in)
urlstart = "http://" + user1
if(pass1)
urlstart += ":" + pass1
urlstart += "@" + location.host + location.pathname.replace(/\/[^\/]*$/, '/')
}
client.open("GET", urlstart + "resources/authentication.py", false, user2, pass2)
client.setRequestHeader("x-user", userwin)
client.send(null)
assert_true(client.responseText == ((userwin||'') + "\n" + (passwin||'')), 'responseText should contain the right user and password')
// We want to send multiple requests to the same realm here, so we try to make the UA forget its (cached) credentials between each test..
// forcing a 401 response to (hopefully) "log out"
// NOTE: This is commented out because it causes authentication prompts while running the test
//client.open('GET', "resources/authentication.py?logout=1", false)
//client.send()
}, document.title+' '+name)
}
request(null, null, token(), token(), 'user/pass in open() call')
request(null, null, token(), token(), 'another user/pass in open() call - must override cached credentials from previous test')
request("userinfo-user", "userinfo-pass", token(), token(), 'user/pass both in URL userinfo AND open() call - expexted that open() wins')
request(token(), token(), null, null, 'user/pass *only* in URL userinfo')
request(token(), null, null, token(), 'user name in URL userinfo, password in open() call: user name wins and password is thrown away')
request("1", token(), token(), null, 'user name and password in URL userinfo, only user name in open() call: user name in open() wins')
</script>
</body>
</html>
|