LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html

<p>Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.</p>

<pre id="console"></pre>
<script>
if (window.testRunner) {
    testRunner.dumpAsText();
    testRunner.waitUntilDone();
}

function log(message)
{
    document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
}

function runTestAsync(url, credentials, addCustomHeader, expectSuccess) {
    log("Testing " + url + (credentials ? " with " : " without ") + "credentials");
    log("Expecting success: " + expectSuccess);

    xhr = new XMLHttpRequest();
    xhr.withCredentials = credentials;
    xhr.open("GET", url, true);
    if (addCustomHeader)
        xhr.setRequestHeader("x-webkit", "foo");

    xhr.onload = function() {
        log((expectSuccess ? "PASS" : "FAIL") + ": " + xhr.responseText);
    }
    xhr.onerror = function() {
        log((expectSuccess ? "FAIL" : "PASS") + ": " + xhr.status);
    }
    xhr.onloadend = function() {
         nextTest();
    }
    xhr.send(null);
}

var withoutCredentials = false;
var withCredentials = true;
var noCustomHeader = false;
var addCustomHeader = true;
var succeeds = true;
var fails = false;

var tests = [
// 1) Test simple cross origin requests that receive redirects.

// Receives a redirect response without CORS headers. The redirect response fails the access check.
["http://localhost:8000/xmlhttprequest/resources/redirect-cors.py?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi",
  withoutCredentials, noCustomHeader, fails],

// Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response passes the access check.
["http://localhost:8000/xmlhttprequest/resources/redirect-cors.py?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&access-control-allow-origin=http://127.0.0.1:8000",
  withoutCredentials, noCustomHeader, succeeds],

// Receives a redirect response with a URL containing the userinfo production.
["http://localhost:8000/xmlhttprequest/resources/redirect-cors.py?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&access-control-allow-origin=http://127.0.0.1:8000",
  withoutCredentials, noCustomHeader, fails],

// Receives a redirect response with a URL with an unsupported scheme.
["http://localhost:8000/xmlhttprequest/resources/redirect-cors.py?url=foo://bar.cgi&access-control-allow-origin=http://127.0.0.1:8000",
  withoutCredentials, noCustomHeader, fails],

// 2) Test preflighted cross origin requests that receive redirects.

// Receives a redirect response to the preflight request and fails.
["http://localhost:8000/xmlhttprequest/resources/redirect-cors.py?redirect-preflight=true&url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&access-control-allow-origin=*",
  withoutCredentials, addCustomHeader, fails],

// Successful preflight and receives a redirect response to the actual request.
// Preflight to the redirected URL should fail as it does not allow custom headers.
["http://localhost:8000/xmlhttprequest/resources/redirect-cors.py?redirect-preflight=false&url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&access-control-allow-origin=*&access-control-allow-headers=x-webkit",
  withoutCredentials, addCustomHeader, fails],

// 3) Test same origin requests with a custom header that receive a same origin redirect.
["resources/redirect-cors.py?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt",
  withoutCredentials, addCustomHeader, succeeds],

]

var currentTest = 0;

function nextTest() {
    if (currentTest < tests.length)
        runTestAsync.apply(null, tests[currentTest++]);
    else if (window.testRunner)
        testRunner.notifyDone();
}

nextTest();
</script>