| <!DOCTYPE html> |
| <html> |
| <head> |
| <title>XMLHttpRequest: ensure user script headers do not get dropped during cross-origin redirections</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| </head> |
| <body> |
| <script type="text/javascript"> |
| function doTest(testName, testURL, simpleRequest, crossOriginRedirect) |
| { |
| promise_test(function(test) { |
| var resolvePromise, rejectPromise; |
| var promise = new Promise((resolve, reject) => { |
| resolvePromise = resolve; |
| rejectPromise = reject; |
| }); |
| |
| var xhr = new XMLHttpRequest; |
| xhr.open("GET", testURL); |
| xhr.setRequestHeader("accept", "groovy"); |
| |
| if (!simpleRequest) { |
| xhr.setRequestHeader("x-webkit", "funky"); |
| xhr.setRequestHeader("content-type", "rocky"); |
| xhr.setRequestHeader("authorization", "Basic QXV0aG9yaXphdGlvbi1IZWFkZXI6QXV0aG9yaXphdGlvbi1IZWFkZXI="); |
| } |
| |
| xhr.onload = (test) => { |
| assert_true(xhr.responseText.indexOf("accept header found: groovy") !== -1, "xhr final request should have an accept=groovy header"); |
| if (!simpleRequest) { |
| assert_true(xhr.responseText.indexOf("x-webkit header found: funky") !== -1, "xhr final request should have a x-webkit=funky header"); |
| assert_true(xhr.responseText.indexOf("content-type header found: rocky") !== -1, "xhr final request should have a content-type=groovy header"); |
| if (crossOriginRedirect) |
| assert_true(xhr.responseText.indexOf("not found any authorization header") !== -1, "xhr final request should not have an authorization header"); |
| else |
| assert_true(xhr.responseText.indexOf("authorization header found") !== -1, "xhr final request should have an authorization header"); |
| } |
| testPassed = true; |
| } |
| |
| xhr.onerror = (e) => { |
| rejectPromise("Loading failure"); |
| } |
| |
| var testPassed = false; |
| xhr.onloadend = () => { |
| testPassed ? resolvePromise() : rejectPromise("testPassed is not true"); |
| } |
| xhr.send(); |
| return promise; |
| }, testName); |
| } |
| |
| var simpleRequest = true; |
| var crossOriginRedirect = true; |
| |
| doTest("Check headers after same-origin redirection to same-origin resource (simple request)", |
| "resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py", |
| simpleRequest, !crossOriginRedirect); |
| |
| doTest("Check headers after same-origin redirection to same-origin resource (not simple request)", |
| "resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py", |
| !simpleRequest, !crossOriginRedirect); |
| |
| doTest("Check headers after same origin redirection to cross-origin resource (simple request)", |
| "resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py", |
| simpleRequest, crossOriginRedirect); |
| |
| doTest("Check headers after same origin redirection to cross-origin resource (not simple request)", |
| "resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py", |
| !simpleRequest, crossOriginRedirect); |
| |
| doTest("Check headers after cross-origin redirection to same-origin resource (simple request)", |
| "http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py", |
| simpleRequest, crossOriginRedirect); |
| |
| doTest("Check headers after cross-origin redirection to same-origin resource (not simple request)", |
| "http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py", |
| !simpleRequest, crossOriginRedirect); |
| |
| doTest("Check headers after cross-origin redirection to cross-origin resource (simple request)", |
| "http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py", |
| simpleRequest, !crossOriginRedirect); |
| |
| doTest("Check headers after cross-origin redirection to cross-origin resource (not simple request)", |
| "http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py", |
| !simpleRequest, !crossOriginRedirect); |
| |
| </script> |
| </body> |
| </html> |
| |