OLD | NEW |
(Empty) | |
| 1 if (this.document === undefined) { |
| 2 importScripts("/resources/testharness.js"); |
| 3 importScripts("/common/utils.js"); |
| 4 importScripts("../resources/utils.js"); |
| 5 importScripts("/common/get-host-info.sub.js"); |
| 6 } |
| 7 |
| 8 function headerNames(headers) |
| 9 { |
| 10 let names = []; |
| 11 for (let header of headers) |
| 12 names.push(header[0].toLowerCase()); |
| 13 return names |
| 14 } |
| 15 |
| 16 /* |
| 17 Check preflight is done |
| 18 Control if server allows method and headers and check accordingly |
| 19 Check control access headers added by UA (for method and headers) |
| 20 */ |
| 21 function corsPreflight(desc, corsUrl, method, allowed, headers, safeHeaders) { |
| 22 return promise_test(function(test) { |
| 23 var uuid_token = token(); |
| 24 return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token).then(func
tion(response) { |
| 25 var url = corsUrl; |
| 26 var urlParameters = "?token=" + uuid_token + "&max_age=0"; |
| 27 var requestInit = {"mode": "cors", "method": method}; |
| 28 var requestHeaders = []; |
| 29 if (headers) |
| 30 requestHeaders.push.apply(requestHeaders, headers); |
| 31 if (safeHeaders) |
| 32 requestHeaders.push.apply(requestHeaders, safeHeaders); |
| 33 requestInit["headers"] = requestHeaders; |
| 34 |
| 35 if (allowed) { |
| 36 urlParameters += "&allow_methods=" + method + "&control_request_headers"
; |
| 37 if (headers) { |
| 38 //Make the server allow the headers |
| 39 urlParameters += "&allow_headers=" + headerNames(headers).join("%20%2C
"); |
| 40 } |
| 41 return fetch(url + urlParameters, requestInit).then(function(resp) { |
| 42 assert_equals(resp.status, 200, "Response's status is 200"); |
| 43 assert_equals(resp.headers.get("x-did-preflight"), "1", "Preflight req
uest has been made"); |
| 44 if (headers) { |
| 45 var actualHeaders = resp.headers.get("x-control-request-headers").to
LowerCase().split(","); |
| 46 for (var i in actualHeaders) |
| 47 actualHeaders[i] = actualHeaders[i].trim(); |
| 48 for (var header of headers) |
| 49 assert_in_array(header[0].toLowerCase(), actualHeaders, "Preflight
asked permission for header: " + header); |
| 50 |
| 51 let accessControlAllowHeaders = headerNames(headers).sort().join(","
); |
| 52 assert_equals(resp.headers.get("x-control-request-headers"), accessC
ontrolAllowHeaders, "Access-Control-Allow-Headers value"); |
| 53 return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token); |
| 54 } else { |
| 55 assert_equals(resp.headers.get("x-control-request-headers"), null, "
Access-Control-Request-Headers should be omitted") |
| 56 } |
| 57 }); |
| 58 } else { |
| 59 return promise_rejects(test, new TypeError(), fetch(url + urlParameters,
requestInit)).then(function(){ |
| 60 return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token); |
| 61 }); |
| 62 } |
| 63 }); |
| 64 }, desc); |
| 65 } |
| 66 |
| 67 var corsUrl = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) +
RESOURCES_DIR + "preflight.py"; |
| 68 |
| 69 corsPreflight("CORS [DELETE], server allows", corsUrl, "DELETE", true); |
| 70 corsPreflight("CORS [DELETE], server refuses", corsUrl, "DELETE", false); |
| 71 corsPreflight("CORS [PUT], server allows", corsUrl, "PUT", true); |
| 72 corsPreflight("CORS [PUT], server refuses", corsUrl, "PUT", false); |
| 73 corsPreflight("CORS [PATCH], server allows", corsUrl, "PATCH", true); |
| 74 corsPreflight("CORS [PATCH], server refuses", corsUrl, "PATCH", false); |
| 75 corsPreflight("CORS [NEW], server allows", corsUrl, "NEW", true); |
| 76 corsPreflight("CORS [NEW], server refuses", corsUrl, "NEW", false); |
| 77 |
| 78 corsPreflight("CORS [GET] [x-test-header: allowed], server allows", corsUrl, "GE
T", true, [["x-test-header1", "allowed"]]); |
| 79 corsPreflight("CORS [GET] [x-test-header: refused], server refuses", corsUrl, "G
ET", false, [["x-test-header1", "refused"]]); |
| 80 |
| 81 var headers = [ |
| 82 ["x-test-header1", "allowedOrRefused"], |
| 83 ["x-test-header2", "allowedOrRefused"], |
| 84 ["X-test-header3", "allowedOrRefused"], |
| 85 ["x-test-header-b", "allowedOrRefused"], |
| 86 ["x-test-header-D", "allowedOrRefused"], |
| 87 ["x-test-header-C", "allowedOrRefused"], |
| 88 ["x-test-header-a", "allowedOrRefused"], |
| 89 ["Content-Type", "allowedOrRefused"], |
| 90 ]; |
| 91 var safeHeaders= [ |
| 92 ["Accept", "*"], |
| 93 ["Accept-Language", "bzh"], |
| 94 ["Content-Language", "eu"], |
| 95 ]; |
| 96 |
| 97 corsPreflight("CORS [GET] [several headers], server allows", corsUrl, "GET", tru
e, headers, safeHeaders); |
| 98 corsPreflight("CORS [GET] [several headers], server refuses", corsUrl, "GET", fa
lse, headers, safeHeaders); |
| 99 corsPreflight("CORS [PUT] [several headers], server allows", corsUrl, "PUT", tru
e, headers, safeHeaders); |
| 100 corsPreflight("CORS [PUT] [several headers], server refuses", corsUrl, "PUT", fa
lse, headers, safeHeaders); |
| 101 |
| 102 corsPreflight("CORS [PUT] [only safe headers], server allows", corsUrl, "PUT", t
rue, null, safeHeaders); |
| 103 |
| 104 done(); |
OLD | NEW |