blob: 45f3283333239ddbd61a47e499ed20ab3b4e8425 [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<title>XMLHttpRequest: ensure user script headers do not get dropped during cross-origin redirections</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<script type="text/javascript">
function doTest(testName, testURL, simpleRequest, crossOriginRedirect)
{
promise_test(function(test) {
var resolvePromise, rejectPromise;
var promise = new Promise((resolve, reject) => {
resolvePromise = resolve;
rejectPromise = reject;
});
var xhr = new XMLHttpRequest;
xhr.open("GET", testURL);
xhr.setRequestHeader("accept", "groovy");
if (!simpleRequest) {
xhr.setRequestHeader("x-webkit", "funky");
xhr.setRequestHeader("content-type", "rocky");
xhr.setRequestHeader("authorization", "Basic QXV0aG9yaXphdGlvbi1IZWFkZXI6QXV0aG9yaXphdGlvbi1IZWFkZXI=");
}
xhr.onload = (test) => {
assert_true(xhr.responseText.indexOf("accept header found: groovy") !== -1, "xhr final request should have an accept=groovy header");
if (!simpleRequest) {
assert_true(xhr.responseText.indexOf("x-webkit header found: funky") !== -1, "xhr final request should have a x-webkit=funky header");
assert_true(xhr.responseText.indexOf("content-type header found: rocky") !== -1, "xhr final request should have a content-type=groovy header");
if (crossOriginRedirect)
assert_true(xhr.responseText.indexOf("not found any authorization header") !== -1, "xhr final request should not have an authorization header");
else
assert_true(xhr.responseText.indexOf("authorization header found") !== -1, "xhr final request should have an authorization header");
}
testPassed = true;
}
xhr.onerror = (e) => {
rejectPromise("Loading failure");
}
var testPassed = false;
xhr.onloadend = () => {
testPassed ? resolvePromise() : rejectPromise("testPassed is not true");
}
xhr.send();
return promise;
}, testName);
}
var simpleRequest = true;
var crossOriginRedirect = true;
doTest("Check headers after same-origin redirection to same-origin resource (simple request)",
"resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py",
simpleRequest, !crossOriginRedirect);
doTest("Check headers after same-origin redirection to same-origin resource (not simple request)",
"resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py",
!simpleRequest, !crossOriginRedirect);
doTest("Check headers after same origin redirection to cross-origin resource (simple request)",
"resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py",
simpleRequest, crossOriginRedirect);
doTest("Check headers after same origin redirection to cross-origin resource (not simple request)",
"resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py",
!simpleRequest, crossOriginRedirect);
doTest("Check headers after cross-origin redirection to same-origin resource (simple request)",
"http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py",
simpleRequest, crossOriginRedirect);
doTest("Check headers after cross-origin redirection to same-origin resource (not simple request)",
"http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py",
!simpleRequest, crossOriginRedirect);
doTest("Check headers after cross-origin redirection to cross-origin resource (simple request)",
"http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py",
simpleRequest, !crossOriginRedirect);
doTest("Check headers after cross-origin redirection to cross-origin resource (not simple request)",
"http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py",
!simpleRequest, !crossOriginRedirect);
</script>
</body>
</html>