blob: 6bc4edd274a8bf78f71fee99c017f2638caac85c [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<script src="../../js-test-resources/js-test-pre.js"></script>
</head>
<body>
<script type="text/javascript">
description("Check that exact matching is used when comparing a request's originating url and the value provided by Access-Control-Allow-Origin.");
var urlTemplate = "http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=";
function shouldPass(origin) {
debug("Should allow origin: '" + origin + "'");
xhr = new XMLHttpRequest();
xhr.open('GET', urlTemplate + encodeURIComponent(origin), false);
shouldBeUndefined("xhr.send(null)");
}
function shouldFail(origin) {
debug("Should disallow origin: '" + origin + "'");
xhr = new XMLHttpRequest();
xhr.open('GET', urlTemplate + encodeURIComponent(origin), false);
shouldThrow("xhr.send(null)");
}
var pageOrigin = self.origin;
shouldPass("*");
shouldPass(" * ");
shouldPass(" *");
shouldPass(pageOrigin);
shouldPass(" " + pageOrigin);
shouldPass(" " + pageOrigin + " ");
shouldPass(" " + pageOrigin);
shouldFail(location.protocol + "//www2." + location.host);
shouldFail("//" + location.host);
shouldFail("://" + location.host);
shouldFail("ftp://" + location.host);
shouldFail("http:://" + location.host);
shouldFail("http:/" + location.host);
shouldFail("http:" + location.host);
shouldFail(location.host);
shouldFail(pageOrigin + "?");
shouldFail(pageOrigin + "/");
shouldFail(pageOrigin + " /");
shouldFail(pageOrigin + "#");
shouldFail(pageOrigin + "%23");
shouldFail(pageOrigin + ":80");
shouldFail(pageOrigin + "\0");
shouldFail(pageOrigin.toUpperCase());
shouldFail(location.protocol.toUpperCase() + "//" + location.host);
shouldFail("-");
shouldFail("**");
shouldFail("\0*");
shouldFail("*\0");
shouldFail("'*'");
shouldFail('"*"');
shouldFail("* *");
shouldFail("*" + location.protocol + "//" + "*");
shouldFail("*" + pageOrigin);
shouldFail("* " + pageOrigin);
shouldFail("\0" + pageOrigin);
shouldFail("null " + pageOrigin);
shouldFail("http://example.net");
shouldFail("null");
shouldFail("");
shouldFail(location.href);
shouldFail(location.href.replace(/\/[^\/]*$/, '/'));
shouldFail(location.href.replace(location.hostname, "localhost"));
// Tests with multiple Access-Control-Allow-Origin headers (expected to fail)
shouldFail(pageOrigin + ", *");
shouldFail(pageOrigin + ",*");
shouldFail("*, " + pageOrigin);
shouldFail("*," + pageOrigin);
shouldFail(pageOrigin + "," + pageOrigin);
shouldFail(pageOrigin + ",http://example.net");
shouldFail("http://example.net," + pageOrigin);
shouldFail(",");
shouldFail("," + pageOrigin);
shouldFail(pageOrigin + ",");
</script>
<script src="../../js-test-resources/js-test-post.js"></script>
</body>
</html>