1 files changed, 92 insertions, 0 deletions

diff --git a/testing/web-platform/tests/xhr/send-redirect-to-cors.htm b/testing/web-platform/tests/xhr/send-redirect-to-cors.htm
new file mode 100644
index 0000000000..54d7eb550d
--- /dev/null
+++ b/testing/web-platform/tests/xhr/send-redirect-to-cors.htm
@@ -0,0 +1,92 @@
+<!doctype html>
+<html>
+  <head>
+    <title>XMLHttpRequest: send() - Redirect to CORS-enabled resource</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <div id="log"></div>
+    <script>
+      function extractBody(body) {
+        if (body === null) {
+          return { body: "", type: "NO" };
+        }
+        if (typeof body === "string") {
+          return { body: body, type: "text/plain;charset=UTF-8" };
+        }
+        if (body instanceof Uint8Array) {
+          const arr = Array.prototype.slice.call(body);
+          return { body: String.fromCharCode.apply(null, arr), type: "NO" }
+        }
+        return { body: "EXTRACT NOT IMPLEMENTED", type: "EXTRACT NOT IMPLEMENTED" }
+      }
+
+      function redirect(code, name = code, method = "GET", body = null, explicitType = null, safelistContentType = false) {
+        async_test(t => {
+          let { body: expectedBody, type: expectedType } = extractBody(body);
+          if (explicitType !== null) {
+            expectedType = explicitType;
+          }
+          let expectedMethod = method;
+          if (((code === "301" || code === "302") && method === "POST") || (code === "303" && method !== "GET" && method !== "HEAD")) {
+            expectedMethod = "GET";
+            expectedBody = "";
+            expectedType = "NO";
+          }
+          const client = new XMLHttpRequest();
+          client.onreadystatechange = t.step_func(() => {
+            if (client.readyState === 4) {
+              if ((expectedMethod === "GET" && expectedType === "NO") || explicitType !== "application/x-pony" || safelistContentType) {
+                assert_equals(client.status, 200);
+                assert_equals(client.getResponseHeader("x-request-method"), expectedMethod);
+                assert_equals(client.getResponseHeader("x-request-content-type"), expectedType);
+                assert_equals(client.getResponseHeader("x-request-data"), expectedBody);
+              } else {
+                // "application/x-pony" is not safelisted by corsenabled.py -> network error
+                assert_equals(client.status, 0);
+                assert_equals(client.statusText, "");
+                assert_equals(client.responseText, "");
+                assert_equals(client.responseXML, null);
+              }
+              t.done();
+            }
+          });
+          let safelist = "";
+          if (safelistContentType) {
+            safelist = "?safelist_content_type";
+          }
+          client.open(method, "resources/redirect.py?location="+encodeURIComponent("http://www2."+location.host+(location.pathname.replace(/[^\/]+$/, ''))+'resources/corsenabled.py')+safelist+"&code=" + code);
+          if (explicitType !== null) {
+            client.setRequestHeader("Content-Type", explicitType);
+          }
+          client.send(body);
+        }, document.title + " (" + name + ")");
+      }
+      // corsenabled.py safelists methods GET, POST, PUT, and FOO
+      redirect("301")
+      redirect("301", "301 GET with explicit Content-Type", "GET", null, "application/x-pony")
+      redirect("301", "301 GET with explicit Content-Type safelisted", "GET", null, "application/x-pony", true)
+      redirect("303", "303 GET with explicit Content-Type safelisted", "GET", null, "application/x-pony", true)
+      redirect("302")
+      redirect("303")
+      redirect("302", "302 FOO with string and explicit Content-Type safelisted", "FOO", "test", "application/x-pony", true)
+      redirect("303", "303 FOO with string and explicit Content-Type safelisted", "FOO", "test", "application/x-pony", true)
+      redirect("307")
+      redirect("307", "307 post with null", "POST", null)
+      redirect("307", "307 post with string", "POST", "hello")
+      redirect("307", "307 post with typed array", "POST", new Uint8Array([65, 66, 67]))
+      redirect("301", "301 POST with string and explicit Content-Type", "POST", "yoyo", "application/x-pony")
+      redirect("301", "301 POST with string and explicit Content-Type safelisted", "POST", "yoyo", "application/x-pony", true)
+      redirect("302", "302 POST with string and explicit Content-Type", "POST", "yoyo", "application/x-pony")
+      redirect("307", "307 POST with string and explicit Content-Type", "POST", "yoyo", "application/x-pony")
+      redirect("307", "307 FOO with string and explicit Content-Type", "FOO", "yoyo", "application/x-pony")
+      redirect("308", "308 POST with string and explicit Content-Type", "POST", "yoyo", "application/x-pony")
+      redirect("308", "308 FOO with string and explicit Content-Type", "FOO", "yoyo", "application/x-pony")
+      redirect("308", "308 FOO with string and explicit Content-Type text/plain", "FOO", "yoyo", "text/plain")
+      redirect("308", "308 FOO with string and explicit Content-Type multipart/form-data", "FOO", "yoyo", "multipart/form-data")
+      redirect("308", "308 FOO with string and explicit Content-Type safelisted", "FOO", "yoyo", "application/thunderstorm", true)
+      redirect("307", "307 POST with string and explicit Content-Type safelisted", "POST", "yoyo", "application/thunderstorm", true)
+    </script>
+  </body>
+</html>