summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/cors/remote-origin.htm
blob: 07267751690fe80d00f884805fb4c1d785f4db63 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<!DOCTYPE html>
<meta charset=utf-8>
<title>Access-Control-Allow-Origin handling</title>
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js?pipe=sub></script>

<h1>Access-Control-Allow-Origin handling</h1>

<div id=log></div>

<script>

var remote_tests = [];
var iframe = document.createElement("iframe")
iframe.src = CROSSDOMAIN + 'resources/remote-xhrer.html';
document.body.appendChild(iframe);

function reverseOrigin(expect_pass, origin)
{
    var real_origin = origin.replace("<host>", REMOTE_HOST)
                        .replace("<remote_origin>", location.protocol + "//" + location.host)
                        .replace("<origin>", REMOTE_ORIGIN)
                        .replace("<protocol>", REMOTE_PROTOCOL)
                        .replace("<HOST>", REMOTE_HOST.toUpperCase())
                        .replace("<ORIGIN>", REMOTE_ORIGIN.toUpperCase())
                        .replace("<PROTOCOL>", REMOTE_PROTOCOL.toUpperCase());

    var t = async_test((expect_pass ? 'Allow origin: ' : 'Disallow origin: ') + real_origin
                            .replace(/\0/g, "\\0")
                            .replace(/\t/g, "[tab]")
                            .replace(/ /g, '_'));
    t.step(function() {
        this.test_url = dirname(location.href)
                            + 'resources/cors-makeheader.py?origin='
                            + encodeURIComponent(real_origin);
        iframe.contentWindow.postMessage({ url: this.test_url, origin: origin }, "*");
    });

    if (expect_pass)
    {
        t.callback = t.step_func(function(e) {
            assert_equals(e.state, "load");
            r = JSON.parse(e.response)
            assert_equals(r['origin'], REMOTE_ORIGIN, 'Request Origin: should be ' + REMOTE_ORIGIN)
            this.done();
        });
    }
    else
    {
        t.callback = t.step_func(function(e) {
            assert_equals(e.state, "error");
            assert_equals(e.response, "");
            this.done();
        });
    }

    remote_tests[origin] = t;
}

function shouldPass(origin) { reverseOrigin(true, origin); }
function shouldFail(origin) { reverseOrigin(false, origin); }


iframe.onload = function() {
    shouldPass('*');
    shouldPass(' *  ');
    shouldPass('	*');
    shouldPass("<origin>");
    shouldPass(" <origin>");
    shouldPass(" <origin>   	 ");
    shouldPass("	<origin>");

    shouldFail("<remote_origin>")
    shouldFail("//" + "<host>")
    shouldFail("://" + "<host>")
    shouldFail("ftp://" + "<host>")
    shouldFail("http:://" + "<host>")
    shouldFail("http:/" + "<host>")
    shouldFail("http:" + "<host>")
    shouldFail("<host>")
    shouldFail("<origin>" + "?")
    shouldFail("<origin>" + "/")
    shouldFail("<origin>" + " /")
    shouldFail("<origin>" + "#")
    shouldFail("<origin>" + "%23")
    shouldFail("<origin>" + ":80")
    shouldFail("<origin>" + ", *")
    shouldFail("<origin>" + "\0")
    shouldFail(("<ORIGIN>"))
    shouldFail("<PROTOCOL>//<host>")
    shouldFail("<protocol>//<HOST>")
    shouldFail("-")
    shouldFail("**")
    shouldFail("\0*")
    shouldFail("*\0")
    shouldFail("'*'")
    shouldFail('"*"')
    shouldFail("* *")
    shouldFail("*" + "<protocol>" + "//" + "*")
    shouldFail("*" + "<origin>")
    shouldFail("* " + "<origin>")
    shouldFail("*, " + "<origin>")
    shouldFail("\0" + "<origin>")
    shouldFail("null " + "<origin>")
    shouldFail('http://example.net')
    shouldFail('null')
    shouldFail('')
    shouldFail(location.href)
    shouldFail(dirname(location.href))
    shouldFail(CROSSDOMAIN)
}

window.addEventListener("message", function(e) {
    remote_tests[e.data.origin].callback(e.data);
});

add_completion_callback(function() {
    iframe.parentElement.removeChild(iframe);
});
</script>