OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google Inc. All rights reserved. | 2 * Copyright (C) 2011 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
6 * met: | 6 * met: |
7 * | 7 * |
8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
(...skipping 371 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
382 request.setURL(url); | 382 request.setURL(url); |
383 | 383 |
384 m_expectedResponse = WebURLResponse(); | 384 m_expectedResponse = WebURLResponse(); |
385 m_expectedResponse.setMIMEType("text/html"); | 385 m_expectedResponse.setMIMEType("text/html"); |
386 m_expectedResponse.setHTTPStatusCode(200); | 386 m_expectedResponse.setHTTPStatusCode(200); |
387 m_expectedResponse.addHTTPHeaderField("access-control-allow-origin", "*"); | 387 m_expectedResponse.addHTTPHeaderField("access-control-allow-origin", "*"); |
388 Platform::current()->getURLLoaderMockFactory()->registerURL( | 388 Platform::current()->getURLLoaderMockFactory()->registerURL( |
389 url, m_expectedResponse, m_frameFilePath); | 389 url, m_expectedResponse, m_frameFilePath); |
390 | 390 |
391 WebURLLoaderOptions options; | 391 WebURLLoaderOptions options; |
392 // Send credentials. This will cause the CORS checks to fail, because credenti
als can't be | 392 // Send credentials. This will cause the CORS checks to fail, because |
393 // sent to a server which returns the header "access-control-allow-origin" wit
h "*" as its value. | 393 // credentials can't be sent to a server which returns the header |
| 394 // "access-control-allow-origin" with "*" as its value. |
394 options.allowCredentials = true; | 395 options.allowCredentials = true; |
395 options.crossOriginRequestPolicy = | 396 options.crossOriginRequestPolicy = |
396 WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl; | 397 WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl; |
397 m_expectedLoader = createAssociatedURLLoader(options); | 398 m_expectedLoader = createAssociatedURLLoader(options); |
398 EXPECT_TRUE(m_expectedLoader); | 399 EXPECT_TRUE(m_expectedLoader); |
399 m_expectedLoader->loadAsynchronously(request, this); | 400 m_expectedLoader->loadAsynchronously(request, this); |
400 | 401 |
401 // Failure should not be reported synchronously. | 402 // Failure should not be reported synchronously. |
402 EXPECT_FALSE(m_didFail); | 403 EXPECT_FALSE(m_didFail); |
403 // The loader needs to receive the response, before doing the CORS check. | 404 // The loader needs to receive the response, before doing the CORS check. |
(...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
506 EXPECT_FALSE(m_willFollowRedirect); | 507 EXPECT_FALSE(m_willFollowRedirect); |
507 EXPECT_FALSE(m_didReceiveResponse); | 508 EXPECT_FALSE(m_didReceiveResponse); |
508 EXPECT_FALSE(m_didReceiveData); | 509 EXPECT_FALSE(m_didReceiveData); |
509 EXPECT_FALSE(m_didFinishLoading); | 510 EXPECT_FALSE(m_didFinishLoading); |
510 } | 511 } |
511 | 512 |
512 // Test that a cross origin redirect response without CORS headers fails. | 513 // Test that a cross origin redirect response without CORS headers fails. |
513 TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlFailure) { | 514 TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlFailure) { |
514 KURL url = toKURL( | 515 KURL url = toKURL( |
515 "http://www.test.com/RedirectCrossOriginWithAccessControlFailure.html"); | 516 "http://www.test.com/RedirectCrossOriginWithAccessControlFailure.html"); |
516 char | 517 char redirect[] = |
517 redirect[] = | 518 "http://www.other.com/" |
518 "http://www.other.com/" | 519 "RedirectCrossOriginWithAccessControlFailure.html"; // Cross-origin |
519 "RedirectCrossOriginWithAccessControlFailure.html"; // Cross-origin | |
520 KURL redirectURL = toKURL(redirect); | 520 KURL redirectURL = toKURL(redirect); |
521 | 521 |
522 WebURLRequest request; | 522 WebURLRequest request; |
523 request.setURL(url); | 523 request.setURL(url); |
524 | 524 |
525 m_expectedRedirectResponse = WebURLResponse(); | 525 m_expectedRedirectResponse = WebURLResponse(); |
526 m_expectedRedirectResponse.setMIMEType("text/html"); | 526 m_expectedRedirectResponse.setMIMEType("text/html"); |
527 m_expectedRedirectResponse.setHTTPStatusCode(301); | 527 m_expectedRedirectResponse.setHTTPStatusCode(301); |
528 m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect); | 528 m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect); |
529 Platform::current()->getURLLoaderMockFactory()->registerURL( | 529 Platform::current()->getURLLoaderMockFactory()->registerURL( |
(...skipping 16 matching lines...) Expand all Loading... |
546 m_expectedLoader->loadAsynchronously(request, this); | 546 m_expectedLoader->loadAsynchronously(request, this); |
547 | 547 |
548 serveRequests(); | 548 serveRequests(); |
549 // We should get a notification about access control check failure. | 549 // We should get a notification about access control check failure. |
550 EXPECT_FALSE(m_willFollowRedirect); | 550 EXPECT_FALSE(m_willFollowRedirect); |
551 EXPECT_FALSE(m_didReceiveResponse); | 551 EXPECT_FALSE(m_didReceiveResponse); |
552 EXPECT_FALSE(m_didReceiveData); | 552 EXPECT_FALSE(m_didReceiveData); |
553 EXPECT_TRUE(m_didFail); | 553 EXPECT_TRUE(m_didFail); |
554 } | 554 } |
555 | 555 |
556 // Test that a cross origin redirect response with CORS headers that allow the r
equesting origin succeeds. | 556 // Test that a cross origin redirect response with CORS headers that allow the |
| 557 // requesting origin succeeds. |
557 TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlSuccess) { | 558 TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlSuccess) { |
558 KURL url = toKURL( | 559 KURL url = toKURL( |
559 "http://www.test.com/RedirectCrossOriginWithAccessControlSuccess.html"); | 560 "http://www.test.com/RedirectCrossOriginWithAccessControlSuccess.html"); |
560 char | 561 char redirect[] = |
561 redirect[] = | 562 "http://www.other.com/" |
562 "http://www.other.com/" | 563 "RedirectCrossOriginWithAccessControlSuccess.html"; // Cross-origin |
563 "RedirectCrossOriginWithAccessControlSuccess.html"; // Cross-origin | |
564 KURL redirectURL = toKURL(redirect); | 564 KURL redirectURL = toKURL(redirect); |
565 | 565 |
566 WebURLRequest request; | 566 WebURLRequest request; |
567 request.setURL(url); | 567 request.setURL(url); |
568 // Add a CORS simple header. | 568 // Add a CORS simple header. |
569 request.setHTTPHeaderField("accept", "application/json"); | 569 request.setHTTPHeaderField("accept", "application/json"); |
570 | 570 |
571 // Create a redirect response that allows the redirect to pass the access cont
rol checks. | 571 // Create a redirect response that allows the redirect to pass the access |
| 572 // control checks. |
572 m_expectedRedirectResponse = WebURLResponse(); | 573 m_expectedRedirectResponse = WebURLResponse(); |
573 m_expectedRedirectResponse.setMIMEType("text/html"); | 574 m_expectedRedirectResponse.setMIMEType("text/html"); |
574 m_expectedRedirectResponse.setHTTPStatusCode(301); | 575 m_expectedRedirectResponse.setHTTPStatusCode(301); |
575 m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect); | 576 m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect); |
576 m_expectedRedirectResponse.addHTTPHeaderField("access-control-allow-origin", | 577 m_expectedRedirectResponse.addHTTPHeaderField("access-control-allow-origin", |
577 "*"); | 578 "*"); |
578 Platform::current()->getURLLoaderMockFactory()->registerURL( | 579 Platform::current()->getURLLoaderMockFactory()->registerURL( |
579 url, m_expectedRedirectResponse, m_frameFilePath); | 580 url, m_expectedRedirectResponse, m_frameFilePath); |
580 | 581 |
581 m_expectedNewRequest = WebURLRequest(); | 582 m_expectedNewRequest = WebURLRequest(); |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
678 EXPECT_FALSE(CheckAccessControlHeaders("Set-Cookie", false)); | 679 EXPECT_FALSE(CheckAccessControlHeaders("Set-Cookie", false)); |
679 EXPECT_FALSE(CheckAccessControlHeaders("Set-Cookie2", false)); | 680 EXPECT_FALSE(CheckAccessControlHeaders("Set-Cookie2", false)); |
680 | 681 |
681 // Test that exposed headers that aren't whitelisted are returned. | 682 // Test that exposed headers that aren't whitelisted are returned. |
682 EXPECT_TRUE(CheckAccessControlHeaders("non-whitelisted", true)); | 683 EXPECT_TRUE(CheckAccessControlHeaders("non-whitelisted", true)); |
683 | 684 |
684 // Test that Set-Cookie headers aren't returned, even if exposed. | 685 // Test that Set-Cookie headers aren't returned, even if exposed. |
685 EXPECT_FALSE(CheckAccessControlHeaders("Set-Cookie", true)); | 686 EXPECT_FALSE(CheckAccessControlHeaders("Set-Cookie", true)); |
686 } | 687 } |
687 | 688 |
688 // Test that the loader can allow non-whitelisted response headers for trusted C
ORS loads. | 689 // Test that the loader can allow non-whitelisted response headers for trusted |
| 690 // CORS loads. |
689 TEST_F(AssociatedURLLoaderTest, CrossOriginHeaderAllowResponseHeaders) { | 691 TEST_F(AssociatedURLLoaderTest, CrossOriginHeaderAllowResponseHeaders) { |
690 WebURLRequest request; | 692 WebURLRequest request; |
691 KURL url = | 693 KURL url = |
692 toKURL("http://www.other.com/CrossOriginHeaderAllowResponseHeaders.html"); | 694 toKURL("http://www.other.com/CrossOriginHeaderAllowResponseHeaders.html"); |
693 request.setURL(url); | 695 request.setURL(url); |
694 | 696 |
695 WebString headerNameString(WebString::fromUTF8("non-whitelisted")); | 697 WebString headerNameString(WebString::fromUTF8("non-whitelisted")); |
696 m_expectedResponse = WebURLResponse(); | 698 m_expectedResponse = WebURLResponse(); |
697 m_expectedResponse.setMIMEType("text/html"); | 699 m_expectedResponse.setMIMEType("text/html"); |
698 m_expectedResponse.setHTTPStatusCode(200); | 700 m_expectedResponse.setHTTPStatusCode(200); |
(...skipping 12 matching lines...) Expand all Loading... |
711 m_expectedLoader->loadAsynchronously(request, this); | 713 m_expectedLoader->loadAsynchronously(request, this); |
712 serveRequests(); | 714 serveRequests(); |
713 EXPECT_TRUE(m_didReceiveResponse); | 715 EXPECT_TRUE(m_didReceiveResponse); |
714 EXPECT_TRUE(m_didReceiveData); | 716 EXPECT_TRUE(m_didReceiveData); |
715 EXPECT_TRUE(m_didFinishLoading); | 717 EXPECT_TRUE(m_didFinishLoading); |
716 | 718 |
717 EXPECT_FALSE(m_actualResponse.httpHeaderField(headerNameString).isEmpty()); | 719 EXPECT_FALSE(m_actualResponse.httpHeaderField(headerNameString).isEmpty()); |
718 } | 720 } |
719 | 721 |
720 } // namespace blink | 722 } // namespace blink |
OLD | NEW |