testing/web-platform/tests/cors/allow-headers.htm


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

<!DOCTYPE html>
<meta charset=utf-8>
<title>Access-Control-Allow-Headers handling</title>
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js?pipe=sub></script>

<h1>Access-Control-Allow-Headers handling</h1>

<div id=log></div>

<script>

/*
 * Origin header
 */
function shouldPass(origin) {
    test(function () {
        var client = new XMLHttpRequest()
        client.open('GET', CROSSDOMAIN
                            + '/resources/cors-makeheader.py?origin='
                            + encodeURIComponent(origin),
                    false)
        client.send()
        r = JSON.parse(client.response)
        var host = location.protocol + "//" + location.host
        assert_equals(r['origin'], host, 'Request Origin: should be ' + host)
    }, 'Allow origin: ' + origin.replace(/\t/g, "[tab]").replace(/ /g, '_'));
}

shouldPass('*');
shouldPass(' *  ');
shouldPass('	*');
shouldPass(location.protocol + "//" + location.host);
shouldPass(" "+location.protocol + "//" + location.host);
shouldPass(" "+location.protocol + "//" + location.host + "   	 ");
shouldPass("	"+location.protocol + "//" + location.host);


function shouldFail(origin) {
    test(function () {
        var client = new XMLHttpRequest()
        client.open('GET', CROSSDOMAIN
                            + '/resources/cors-makeheader.py?origin='
                            + encodeURIComponent(origin),
                    false)
        assert_throws(null, function() { client.send() }, 'send')
    }, 'Disallow origin: ' + origin.replace('\0', '\\0'));
}

shouldFail(location.protocol + "//" + SUBDOMAIN + "." + location.host)
shouldFail("//" + location.host)
shouldFail("://" + location.host)
shouldFail("ftp://" + location.host)
shouldFail("http:://" + location.host)
shouldFail("http:/" + location.host)
shouldFail("http:" + location.host)
shouldFail(location.host)
shouldFail(location.protocol + "//" + location.host + "?")
shouldFail(location.protocol + "//" + location.host + "/")
shouldFail(location.protocol + "//" + location.host + " /")
shouldFail(location.protocol + "//" + location.host + "#")
shouldFail(location.protocol + "//" + location.host + "%23")
shouldFail(location.protocol + "//" + location.host + ":80")
shouldFail(location.protocol + "//" + location.host + ", *")
shouldFail(location.protocol + "//" + location.host + "\0")
shouldFail((location.protocol + "//" + location.host).toUpperCase())
shouldFail(location.protocol.toUpperCase() + "//" + location.host)
shouldFail("-")
shouldFail("**")
shouldFail("\0*")
shouldFail("*\0")
shouldFail("'*'")
shouldFail('"*"')
shouldFail("* *")
shouldFail("*" + location.protocol + "//" + "*")
shouldFail("*" + location.protocol + "//" + location.host)
shouldFail("* " + location.protocol + "//" + location.host)
shouldFail("*, " + location.protocol + "//" + location.host)
shouldFail("\0" + location.protocol + "//" + location.host)
shouldFail("null " + location.protocol + "//" + location.host)
shouldFail('http://example.net')
shouldFail('null')
shouldFail('')
shouldFail(location.href)
shouldFail(dirname(location.href))
shouldFail(CROSSDOMAIN)

</script>