1 files changed, 33 insertions, 0 deletions

diff --git a/testing/web-platform/tests/fetch/api/cors/cors-preflight-response-validation.any.js b/testing/web-platform/tests/fetch/api/cors/cors-preflight-response-validation.any.js
new file mode 100644
index 0000000000..718e351c1d
--- /dev/null
+++ b/testing/web-platform/tests/fetch/api/cors/cors-preflight-response-validation.any.js
@@ -0,0 +1,33 @@
+// META: script=/common/utils.js
+// META: script=../resources/utils.js
+// META: script=/common/get-host-info.sub.js
+
+function corsPreflightResponseValidation(desc, corsUrl, allowHeaders, allowMethods) {
+  var uuid_token = token();
+  var url = corsUrl;
+  var requestInit = {"mode": "cors"};
+  /* Force preflight */
+  requestInit["headers"] = {"x-force-preflight": ""};
+
+  var urlParameters = "?token=" + uuid_token + "&max_age=0";
+  urlParameters += "&allow_headers=x-force-preflight";
+  if (allowHeaders)
+    urlParameters += "," + allowHeaders;
+  if (allowMethods)
+    urlParameters += "&allow_methods="+ allowMethods;
+
+  promise_test(function(test) {
+    return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token).then(async function(resp) {
+      assert_equals(resp.status, 200, "Clean stash response's status is 200");
+      await promise_rejects_js(test, TypeError, fetch(url + urlParameters, requestInit));
+
+      return fetch(url + urlParameters).then(function(resp) {
+        assert_equals(resp.headers.get("x-did-preflight"), "1", "Preflight request has been made");
+      });
+    });
+  }, desc);
+}
+
+var corsUrl = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "preflight.py";
+corsPreflightResponseValidation("Preflight response with a bad Access-Control-Allow-Headers", corsUrl, "Bad value", null);
+corsPreflightResponseValidation("Preflight response with a bad Access-Control-Allow-Methods", corsUrl, null, "Bad value");