Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(297)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: LayoutTests/http/tests/security/script-crossorigin-redirect-credentials.html

Issue 149643003: Improve handling of CORS redirects for some resource loads. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Use canRequest() when checking redirect origin; remove redundant null checks. Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « LayoutTests/http/tests/security/script-crossorigin-redirect-anonymous-expected.txt ('k') | LayoutTests/http/tests/security/script-crossorigin-redirect-credentials-expected.txt » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: LayoutTests/http/tests/security/script-crossorigin-redirect-credentials.html
diff --git a/LayoutTests/http/tests/security/script-crossorigin-redirect-credentials.html b/LayoutTests/http/tests/security/script-crossorigin-redirect-credentials.html
new file mode 100644
index 0000000000000000000000000000000000000000..74cf2d2badffac4e6655161875d5bf23e0b1ff85
--- /dev/null
+++ b/LayoutTests/http/tests/security/script-crossorigin-redirect-credentials.html
@@ -0,0 +1,86 @@
+<!DOCTYPE HTML>
+<script src="/js-test-resources/js-test.js"></script>
+<script>
+description("Testing the handling of CORS-enabled script fetch in the presence of 'credentialled' redirects.");
+
+// Explain the short form descriptions ('=>' representing the redirect.)
+debug("PASS/FAIL descriptions are of the form, 'CORS request type': 'redirect CORS type' => 'resource'");
+debug("");
+
+var redirect_cors = "use-credentials";
+
+window.jsTestIsAsync = true;
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function finish() {
+ if (window.testRunner)
+ finishJSTest();
+}
+
+function fail() {
+ debug("FAIL: " + this.description);
+ runNextTest();
+}
+
+function pass() {
+ debug("PASS: " + this.description);
+ runNextTest();
+}
+
+var tests = [
+ { description: "Anonymous request: credentialled => no-CORS script resource.",
+ url: "http://localhost:8000/security/resources/localScript.js",
+ // Redirect is allowed, but fails access check on the non-CORS resource.
+ success: false,
+ access: "anonymous"},
+ { description: "Anonymous request: credentialled => anonymous CORS script resource (same origin.)",
+ url: "http://localhost:8000/security/resources/script-allow-star.php",
+ // Redirect is allowed, as is access to the anonymous CORS resource.
+ success: true,
+ access: "anonymous"},
+ { description: "Anonymous request: credentialled => anonymous CORS script resource (cross origin.)",
+ url: "http://localhost:8080/security/resources/script-allow-star.php",
+ // Redirect is allowed, as is access (with origin 'null') to the CORS resource.
+ success: true,
+ access: "anonymous"},
+ { description: "Credentialled request: credentialled => credentialled-CORS script resource (same origin.)",
+ url: "http://localhost:8000/security/resources/script-allow-credentials.php",
+ // Redirect is allowed, as is access (with original origin) to the CORS resource.
+ success: true,
+ access: "use-credentials"},
+ { description: "Credentialled request: credentialled => credentialled-CORS script resource (cross origin.)",
+ url: "http://127.0.0.1:8000/security/resources/script-allow-credentials.php",
+ // Redirect is allowed, source origin mutates to 'null', so credentialled resource not accessible.
+ success: false,
+ access: "use-credentials"},
+ { description: "Credentialled request: credentialled => anonymous-CORS script resource (same origin.)",
+ url: "http://localhost:8000/security/resources/script-allow-star.php",
+ // Redirect is allowed, but anonymous resource with * as allowed origins is not accessible.
+ success: false,
+ access: "use-credentials"},
+ { description: "Credentialled request: credentialled => anonymous-CORS script resource (cross origin.)",
+ url: "http://127.0.0.1:8000/security/resources/script-allow-star.php",
+ // Redirect is allowed, source origin mutates to 'null', so anonymous resource with * as allowed origins is not accessible.
+ success: false,
+ access: "use-credentials"},
+ ];
+
+function runNextTest() {
+ if (!tests.length) {
+ finish();
+ return;
+ }
+ var test = tests.shift();
+ var script = document.createElement("script");
+ script.onload = test.success ? pass : fail;
+ script.onerror = test.success ? fail : pass;
+ script.crossOrigin = test.access;
+ script.description = test.description;
+ var args = [ "mode=" + redirect_cors,
+ "url=" + test.url];
+ script.src = "http://localhost:8000/security/resources/cors-redirect.php?" + args.join("&");
+ document.body.appendChild(script);
+}
+window.onload = runNextTest;
+</script>
« no previous file with comments | « LayoutTests/http/tests/security/script-crossorigin-redirect-anonymous-expected.txt ('k') | LayoutTests/http/tests/security/script-crossorigin-redirect-credentials-expected.txt » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698