26 lines
917 B
HTML
26 lines
917 B
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>Tests CORS denying preflighted request to resource without CORS headers for OPTIONS</title>
|
|
<script src="/resources/testharness.js"></script>
|
|
<script src="/resources/testharnessreport.js"></script>
|
|
<script src="/common/get-host-info.sub.js"></script>
|
|
</head>
|
|
<body>
|
|
<script type="text/javascript">
|
|
test(function() {
|
|
const xhr = new XMLHttpRequest;
|
|
|
|
xhr.open("GET", get_host_info().HTTP_REMOTE_ORIGIN +
|
|
"/xhr/resources/access-control-basic-options-not-supported.py", false);
|
|
|
|
// Non-CORS-safelisted header
|
|
xhr.setRequestHeader("x-test", "foobar");
|
|
|
|
// This fails because the server-side script is not prepared for an OPTIONS request
|
|
assert_throws_dom("NetworkError", () => xhr.send());
|
|
assert_equals(xhr.status, 0);
|
|
}, "Preflighted cross-origin request denied");
|
|
</script>
|
|
</body>
|
|
</html>
|