Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(67)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/fetch/CrossOriginAccessControlTest.cpp

Issue 2633423003: Leave out empty-valued Access-Control-Request-Headers: on preflights. (Closed)
Patch Set: explicitly include safe headers in the (test) request Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The Chromium Authors. All rights reserved. 1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "core/fetch/CrossOriginAccessControl.h" 5 #include "core/fetch/CrossOriginAccessControl.h"
6 6
7 #include "platform/network/ResourceRequest.h" 7 #include "platform/network/ResourceRequest.h"
8 #include "platform/weborigin/SecurityOrigin.h" 8 #include "platform/weborigin/SecurityOrigin.h"
9 #include "testing/gtest/include/gtest/gtest.h" 9 #include "testing/gtest/include/gtest/gtest.h"
10 #include "wtf/RefPtr.h" 10 #include "wtf/RefPtr.h"
(...skipping 30 matching lines...) Expand all
41 TEST_F(CreateAccessControlPreflightRequestTest, ExcludeSimpleHeaders) { 41 TEST_F(CreateAccessControlPreflightRequestTest, ExcludeSimpleHeaders) {
42 ResourceRequest request; 42 ResourceRequest request;
43 request.addHTTPHeaderField("Accept", "everything"); 43 request.addHTTPHeaderField("Accept", "everything");
44 request.addHTTPHeaderField("Accept-Language", "everything"); 44 request.addHTTPHeaderField("Accept-Language", "everything");
45 request.addHTTPHeaderField("Content-Language", "everything"); 45 request.addHTTPHeaderField("Content-Language", "everything");
46 request.addHTTPHeaderField("Save-Data", "on"); 46 request.addHTTPHeaderField("Save-Data", "on");
47 47
48 ResourceRequest preflight = 48 ResourceRequest preflight =
49 createAccessControlPreflightRequest(request, m_securityOrigin.get()); 49 createAccessControlPreflightRequest(request, m_securityOrigin.get());
50 50
51 EXPECT_EQ("", preflight.httpHeaderField("Access-Control-Request-Headers")); 51 // Do not emit empty-valued headers; an empty list of non-"CORS safelisted"
52 // request headers should cause "Access-Control-Request-Headers:" to be
53 // left out in the preflight request.
54 EXPECT_EQ(nullAtom,
55 preflight.httpHeaderField("Access-Control-Request-Headers"));
52 } 56 }
53 57
54 TEST_F(CreateAccessControlPreflightRequestTest, 58 TEST_F(CreateAccessControlPreflightRequestTest,
55 ExcludeSimpleContentTypeHeader) { 59 ExcludeSimpleContentTypeHeader) {
56 ResourceRequest request; 60 ResourceRequest request;
57 request.addHTTPHeaderField("Content-Type", "text/plain"); 61 request.addHTTPHeaderField("Content-Type", "text/plain");
58 62
59 ResourceRequest preflight = 63 ResourceRequest preflight =
60 createAccessControlPreflightRequest(request, m_securityOrigin.get()); 64 createAccessControlPreflightRequest(request, m_securityOrigin.get());
61 65
62 EXPECT_EQ("", preflight.httpHeaderField("Access-Control-Request-Headers")); 66 // Empty list also; see comment in test above.
67 EXPECT_EQ(nullAtom,
68 preflight.httpHeaderField("Access-Control-Request-Headers"));
63 } 69 }
64 70
65 TEST_F(CreateAccessControlPreflightRequestTest, IncludeNonSimpleHeader) { 71 TEST_F(CreateAccessControlPreflightRequestTest, IncludeNonSimpleHeader) {
66 ResourceRequest request; 72 ResourceRequest request;
67 request.addHTTPHeaderField("X-Custom-Header", "foobar"); 73 request.addHTTPHeaderField("X-Custom-Header", "foobar");
68 74
69 ResourceRequest preflight = 75 ResourceRequest preflight =
70 createAccessControlPreflightRequest(request, m_securityOrigin.get()); 76 createAccessControlPreflightRequest(request, m_securityOrigin.get());
71 77
72 EXPECT_EQ("x-custom-header", 78 EXPECT_EQ("x-custom-header",
73 preflight.httpHeaderField("Access-Control-Request-Headers")); 79 preflight.httpHeaderField("Access-Control-Request-Headers"));
74 } 80 }
75 81
76 TEST_F(CreateAccessControlPreflightRequestTest, 82 TEST_F(CreateAccessControlPreflightRequestTest,
77 IncludeNonSimpleContentTypeHeader) { 83 IncludeNonSimpleContentTypeHeader) {
78 ResourceRequest request; 84 ResourceRequest request;
79 request.addHTTPHeaderField("Content-Type", "application/octet-stream"); 85 request.addHTTPHeaderField("Content-Type", "application/octet-stream");
80 86
81 ResourceRequest preflight = 87 ResourceRequest preflight =
82 createAccessControlPreflightRequest(request, m_securityOrigin.get()); 88 createAccessControlPreflightRequest(request, m_securityOrigin.get());
83 89
84 EXPECT_EQ("content-type", 90 EXPECT_EQ("content-type",
85 preflight.httpHeaderField("Access-Control-Request-Headers")); 91 preflight.httpHeaderField("Access-Control-Request-Headers"));
86 } 92 }
87 93
88 } // namespace 94 } // namespace
89 95
90 } // namespace blink 96 } // namespace blink
OLDNEW
« no previous file with comments | « third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698