File: credentials-flag.htm

package info (click to toggle)
firefox 143.0.3-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 4,617,328 kB
  • sloc: cpp: 7,478,492; javascript: 6,417,157; ansic: 3,720,058; python: 1,396,372; xml: 627,523; asm: 438,677; java: 186,156; sh: 63,477; makefile: 19,171; objc: 13,059; perl: 12,983; yacc: 4,583; cs: 3,846; pascal: 3,405; lex: 1,720; ruby: 1,003; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 53; csh: 10
file content (134 lines) | stat: -rw-r--r-- 4,376 bytes parent folder | download | duplicates (28) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
 
<!DOCTYPE html>
<title>CORS - Access-Control-Allow-Credentials</title>
<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">

<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js?pipe=sub></script>

<h1>CORS - Access-Control-Allow-Credentials</h1>
<div id=log></div>
<script>

var url = CROSSDOMAIN + 'resources/cors-cookie.py?ident='


/*
 * widthCredentials
 */
// XXX Do some https tests here as well

test(function () {
    var client = new XMLHttpRequest()
    client.open('GET', CROSSDOMAIN, false)
    client.withCredentials = true;
}, 'Setting withCredentials on a sync XHR object should not throw')

async_test(function () {
    var id = new Date().getTime() + '_1',
        client = new XMLHttpRequest()
    client.open("GET", url + id, true)
    client.onload = this.step_func(function() {
        assert_equals(client.response, "NO_COOKIE")
        client.open("GET", url + id, true)
        client.onload = this.step_func(function() {
            assert_equals(client.response, "NO_COOKIE")
            this.done()
        })
        client.send(null)
    })
    client.send(null)

}, "Don't send cookie by default");

async_test(function () {
    var id = new Date().getTime() + '_2',
        client = new XMLHttpRequest()

    client.open("GET", url + id, true)
    client.withCredentials = true
    client.onload = this.step_func(function() {
        assert_equals(client.response, "NO_COOKIE", "No cookie in initial request");

        /* We have cookie, but the browser shouldn't send */
        client.open("GET", url + id, true)
        client.withCredentials = false
        client.onload = this.step_func(function() {
            assert_equals(client.response, "NO_COOKIE", "No cookie after withCredentials=false sync request")

            /* Reads and deletes the cookie */
            client.open("GET", url + id, true)
            client.withCredentials = true
            client.onload = this.step_func(function() {
                assert_equals(client.response, "COOKIE", "Cookie sent in withCredentials=true sync request")
                this.done()
            })
            client.send(null)
        })
        client.send(null)
    })
    client.send(null)
}, "Don't send cookie part 2");

async_test(function () {
    var id = new Date().getTime() + '_3',
        client = new XMLHttpRequest()

    /* Shouldn't set the response cookie */
    client.open("GET", url + id, true)
    client.withCredentials = false
    client.onload = this.step_func(function() {
        assert_equals(client.response, "NO_COOKIE", "first");

        /* Sets the cookie */
        client.open("GET", url + id, true)
        client.withCredentials = true
        client.onload = this.step_func(function() {
            assert_equals(client.response, "NO_COOKIE", "second")

            /* Reads and deletes the cookie */
            client.open("GET", url + id, true)
            client.withCredentials = true
            client.onload = this.step_func(function() {
                assert_equals(client.response, "COOKIE", "third")
                this.done()
            })
            client.send(null)
        })
        client.send(null)
    })
    client.send(null)
}, "Don't obey Set-Cookie when withCredentials=false");

function test_response_header(allow) {
    var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)')
    resp_test.step(function() {
        var client = new XMLHttpRequest()
        client.open('GET',
            CROSSDOMAIN + 'resources/cors-makeheader.py?credentials=' + allow,
            true)
        client.withCredentials = true;
        client.onload = resp_test.step_func(function() {
            assert_unreached("onload")
        })
        client.onerror = resp_test.step_func(function () {
            assert_equals(client.readyState, client.DONE, 'readyState')
            resp_test.done()
        })
        client.send()
    })
}

test_response_header('TRUE')
test_response_header('True')
test_response_header('"true"')
test_response_header("'true'");
test_response_header('false')
test_response_header('1')
test_response_header('0')
test_response_header(',true');
test_response_header('true,');
test_response_header('true%0B');
test_response_header('true%0C');

</script>