blob: 74ca7cd3dbf50180fda528a13bd4318dc6ed3aac [file] [log] [blame]
<p>Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.</p>
<pre id="console"></pre>
if (window.testRunner) {
function log(message)
document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
function runTestAsync(url, credentials, addCustomHeader, expectSuccess) {
log("Testing " + url + (credentials ? " with " : " without ") + "credentials");
log("Expecting success: " + expectSuccess);
xhr = new XMLHttpRequest();
xhr.withCredentials = credentials;"GET", url, true);
if (addCustomHeader)
xhr.setRequestHeader("x-webkit", "foo");
xhr.onload = function() {
log((expectSuccess ? "PASS" : "FAIL") + ": " + xhr.responseText);
xhr.onerror = function() {
log((expectSuccess ? "FAIL" : "PASS") + ": " + xhr.status);
var withoutCredentials = false;
var withCredentials = true;
var noCustomHeader = false;
var addCustomHeader = true;
var succeeds = true;
var fails = false;
var tests = [
// Test simple same origin requests that receive cross origin redirects.
// Request without credentials is redirected to a cross-origin response with Access-Control-Allow-Origin=*.
// The redirect response passes the access check.
withoutCredentials, noCustomHeader, succeeds],
// Request with credentials is redirected to a cross-origin response with Access-Control-Allow-Origin=*.
// The redirect response fails the access check because credentials were sent.
withCredentials, noCustomHeader, fails],
// Request without credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin.
// The redirect response passes the access check.
withoutCredentials, noCustomHeader, succeeds],
// Request with credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin.
// The redirect response passes the access check.
withCredentials, noCustomHeader, succeeds],
// Request without credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin
// forbidding credentials. The redirect response passes the access check.
withoutCredentials, noCustomHeader, succeeds],
// Request with credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin
// forbidding credentials. The redirect response fails the access check.
withCredentials, noCustomHeader, fails],
var currentTest = 0;
function nextTest() {
if (currentTest < tests.length)
runTestAsync.apply(null, tests[currentTest++]);
else if (window.testRunner)