1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
<!doctype html>
<html>
<head>
<title>XMLHttpRequest: send() with document.domain set</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<!-- The spec doesn't seem to explicitly cover this case (as of June 2013) -->
<link rel="help" href="https://xhr.spec.whatwg.org/#the-open()-method" data-tested-assertations="following::ol[1]/li[2]/ol[1]/li[3]" />
</head>
<body>
<div id="log"></div>
<script>
// first make sure we actually run off a domain with at least three parts, in order to be able to shorten it..
if (location.hostname.split(/\./).length < 3) {
location.href = location.protocol+'//www2.'+location.host+location.pathname
}
test(function() {
document.domain = document.domain // this is not a noop, it does actually change the security context
var client = new XMLHttpRequest()
client.open("GET", "resources/status.py?content=hello", false)
client.send(null)
assert_equals(client.responseText, "hello")
document.domain = document.domain.replace(/^\w+\./, '')
client.open("GET", "resources/status.py?content=hello2", false)
client.send(null)
assert_equals(client.responseText, "hello2")
}, "loading documents from original origin after setting document.domain")
// try to load a document from the origin document.domain was set to
test(function () {
var client = new XMLHttpRequest()
client.open("GET", location.protocol + '//' + document.domain + location.pathname.replace(/[^\/]*$/, '') + "resources/status.py?content=hello3", false)
// AFAIK this should throw
assert_throws('NetworkError', function(){client.send(null)})
}, "loading documents from the origin document.domain was set to should throw")
</script>
</body>
</html>
|
