OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/fetch/CrossOriginAccessControl.h" | 5 #include "core/fetch/CrossOriginAccessControl.h" |
6 | 6 |
7 #include "platform/network/ResourceRequest.h" | 7 #include "platform/network/ResourceRequest.h" |
8 #include "platform/weborigin/SecurityOrigin.h" | 8 #include "platform/weborigin/SecurityOrigin.h" |
9 #include "testing/gtest/include/gtest/gtest.h" | 9 #include "testing/gtest/include/gtest/gtest.h" |
10 #include "wtf/RefPtr.h" | 10 #include "wtf/RefPtr.h" |
(...skipping 30 matching lines...) Expand all Loading... |
41 TEST_F(CreateAccessControlPreflightRequestTest, ExcludeSimpleHeaders) { | 41 TEST_F(CreateAccessControlPreflightRequestTest, ExcludeSimpleHeaders) { |
42 ResourceRequest request; | 42 ResourceRequest request; |
43 request.addHTTPHeaderField("Accept", "everything"); | 43 request.addHTTPHeaderField("Accept", "everything"); |
44 request.addHTTPHeaderField("Accept-Language", "everything"); | 44 request.addHTTPHeaderField("Accept-Language", "everything"); |
45 request.addHTTPHeaderField("Content-Language", "everything"); | 45 request.addHTTPHeaderField("Content-Language", "everything"); |
46 request.addHTTPHeaderField("Save-Data", "on"); | 46 request.addHTTPHeaderField("Save-Data", "on"); |
47 | 47 |
48 ResourceRequest preflight = | 48 ResourceRequest preflight = |
49 createAccessControlPreflightRequest(request, m_securityOrigin.get()); | 49 createAccessControlPreflightRequest(request, m_securityOrigin.get()); |
50 | 50 |
51 EXPECT_EQ("", preflight.httpHeaderField("Access-Control-Request-Headers")); | 51 // Do not emit empty-valued headers; an empty list of non-"CORS safelisted" |
| 52 // request headers should cause "Access-Control-Request-Headers:" to be |
| 53 // left out in the preflight request. |
| 54 EXPECT_EQ(nullAtom, |
| 55 preflight.httpHeaderField("Access-Control-Request-Headers")); |
52 } | 56 } |
53 | 57 |
54 TEST_F(CreateAccessControlPreflightRequestTest, | 58 TEST_F(CreateAccessControlPreflightRequestTest, |
55 ExcludeSimpleContentTypeHeader) { | 59 ExcludeSimpleContentTypeHeader) { |
56 ResourceRequest request; | 60 ResourceRequest request; |
57 request.addHTTPHeaderField("Content-Type", "text/plain"); | 61 request.addHTTPHeaderField("Content-Type", "text/plain"); |
58 | 62 |
59 ResourceRequest preflight = | 63 ResourceRequest preflight = |
60 createAccessControlPreflightRequest(request, m_securityOrigin.get()); | 64 createAccessControlPreflightRequest(request, m_securityOrigin.get()); |
61 | 65 |
62 EXPECT_EQ("", preflight.httpHeaderField("Access-Control-Request-Headers")); | 66 // Empty list also; see comment in test above. |
| 67 EXPECT_EQ(nullAtom, |
| 68 preflight.httpHeaderField("Access-Control-Request-Headers")); |
63 } | 69 } |
64 | 70 |
65 TEST_F(CreateAccessControlPreflightRequestTest, IncludeNonSimpleHeader) { | 71 TEST_F(CreateAccessControlPreflightRequestTest, IncludeNonSimpleHeader) { |
66 ResourceRequest request; | 72 ResourceRequest request; |
67 request.addHTTPHeaderField("X-Custom-Header", "foobar"); | 73 request.addHTTPHeaderField("X-Custom-Header", "foobar"); |
68 | 74 |
69 ResourceRequest preflight = | 75 ResourceRequest preflight = |
70 createAccessControlPreflightRequest(request, m_securityOrigin.get()); | 76 createAccessControlPreflightRequest(request, m_securityOrigin.get()); |
71 | 77 |
72 EXPECT_EQ("x-custom-header", | 78 EXPECT_EQ("x-custom-header", |
73 preflight.httpHeaderField("Access-Control-Request-Headers")); | 79 preflight.httpHeaderField("Access-Control-Request-Headers")); |
74 } | 80 } |
75 | 81 |
76 TEST_F(CreateAccessControlPreflightRequestTest, | 82 TEST_F(CreateAccessControlPreflightRequestTest, |
77 IncludeNonSimpleContentTypeHeader) { | 83 IncludeNonSimpleContentTypeHeader) { |
78 ResourceRequest request; | 84 ResourceRequest request; |
79 request.addHTTPHeaderField("Content-Type", "application/octet-stream"); | 85 request.addHTTPHeaderField("Content-Type", "application/octet-stream"); |
80 | 86 |
81 ResourceRequest preflight = | 87 ResourceRequest preflight = |
82 createAccessControlPreflightRequest(request, m_securityOrigin.get()); | 88 createAccessControlPreflightRequest(request, m_securityOrigin.get()); |
83 | 89 |
84 EXPECT_EQ("content-type", | 90 EXPECT_EQ("content-type", |
85 preflight.httpHeaderField("Access-Control-Request-Headers")); | 91 preflight.httpHeaderField("Access-Control-Request-Headers")); |
86 } | 92 } |
87 | 93 |
88 } // namespace | 94 } // namespace |
89 | 95 |
90 } // namespace blink | 96 } // namespace blink |
OLD | NEW |