1 files changed, 61 insertions, 0 deletions
diff --git a/testing/web-platform/tests/xhr/send-authentication-cors-setrequestheader-no-cred.htm b/testing/web-platform/tests/xhr/send-authentication-cors-setrequestheader-no-cred.htm
new file mode 100644
index 0000000000..14edf5bd77
--- /dev/null
+++ b/testing/web-platform/tests/xhr/send-authentication-cors-setrequestheader-no-cred.htm
@@ -0,0 +1,61 @@
+<!doctype html>
+<html>
+  <head>
+    <title>XMLHttpRequest: send() - "Basic" authenticated CORS request using setRequestHeader() but not setting withCredentials (expects to succeed)</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/utils.js"></script>
+    <!-- These spec references do not make much sense simply because the spec doesn't say very much about this.. -->
+    <link rel="help" href="https://xhr.spec.whatwg.org/#the-setrequestheader()-method" data-tested-assertations="following::ol[1]/li[6]" />
+    <link rel="help" href="https://xhr.spec.whatwg.org/#the-send()-method" data-tested-assertations="following::code[contains(@title,'http-authorization')]/.." />
+  </head>
+  <body>
+    <div id="log"></div>
+    <script>
+    function doTest(desc, pathsuffix, conditionsFunc, errorFunc, endFunc) {
+      var test = async_test(desc)
+      test.step(function() {
+        var client = new XMLHttpRequest(),
+            urlstart = location.host + location.pathname.replace(/\/[^\/]*$/, '/'),
+            user = token()
+        client.open("GET", location.protocol + "//www1." + urlstart + "resources/" + pathsuffix, false)
+        client.setRequestHeader("x-user", user)
+        client.setRequestHeader("x-pass", 'pass')
+        client.setRequestHeader("Authorization", "Basic " + btoa(user + ":pass"))
+        client.onerror = test.step_func(errorFunc)
+        client.onreadystatechange = test.step_func(function () {
+          if(client.readyState < 4) {return}
+          conditionsFunc(client, test, user)
+        })
+        if(endFunc) {
+          client.onloadend = test.step_func(endFunc)
+        }
+        client.send(null)
+      })
+    }
+
+    doTest("CORS request with setRequestHeader auth to URL accepting Authorization header", "auth7/corsenabled.py", function (client, test, user) {
+      assert_true(client.responseText == (user + "\npass"), "responseText should contain the right user and password")
+      assert_equals(client.status, 200)
+      assert_equals(client.getResponseHeader("x-challenge"), "DID-NOT")
+      test.done()
+    }, function(){
+      assert_unreached("Cross-domain request is permitted and should not cause an error")
+      this.done()
+    })
+
+    var errorFired = false;
+    doTest("CORS request with setRequestHeader auth to URL NOT accepting Authorization header", "auth8/corsenabled-no-authorize.py", function (client, test, user) {
+      assert_equals(client.responseText, '')
+      assert_equals(client.status, 0)
+    }, function(e){
+      errorFired = true
+      assert_equals(e.type, 'error', 'Error event fires when Authorize is a user-set header but not allowed by the CORS endpoint')
+    }, function() {
+      assert_true(errorFired, 'The error event should fire')
+      this.done()
+    })
+
+    </script>
+  </body>
+</html>