Changeset 62779 in webkit

Timestamp:

Jul 8, 2010 5:00:31 AM (14 years ago)

Author:

jschuh@chromium.org

Message:

2010-07-08 Justin Schuh <​jschuh@chromium.org>

Reviewed by Alexey Proskuryakov.

XHR access control failure tests for header, method, and not-supported
​https://bugs.webkit.org/show_bug.cgi?id=41724

• http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt:
• http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html:
• http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt:
• http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html:
• http/tests/xmlhttprequest/access-control-preflight-async-not-supported-expected.txt: Added.
• http/tests/xmlhttprequest/access-control-preflight-async-not-supported.html: Added.
• http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt:
• http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html:
• http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt:
• http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html:
• http/tests/xmlhttprequest/access-control-preflight-sync-not-supported-expected.txt: Added.
• http/tests/xmlhttprequest/access-control-preflight-sync-not-supported.html: Added.
• http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php:

Location:

trunk/LayoutTests

Files:

• ChangeLog (modified) (1 diff)
• http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt (modified) (1 diff)
• http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html (modified) (6 diffs)
• http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt (modified) (1 diff)
• http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html (modified) (6 diffs)
• http/tests/xmlhttprequest/access-control-preflight-async-not-supported-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt)
• http/tests/xmlhttprequest/access-control-preflight-async-not-supported.html (copied) (copied from trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html) (6 diffs)
• http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt (modified) (1 diff)
• http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html (modified) (5 diffs)
• http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt (modified) (1 diff)
• http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html (modified) (5 diffs)
• http/tests/xmlhttprequest/access-control-preflight-sync-not-supported-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt)
• http/tests/xmlhttprequest/access-control-preflight-sync-not-supported.html (copied) (copied from trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html) (5 diffs)
• http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-07-08  Justin Schuh  <jschuh@chromium.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        XHR access control failure tests for header, method, and not-supported
+        https://bugs.webkit.org/show_bug.cgi?id=41724
+
+        * http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt:
+        * http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html:
+        * http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt:
+        * http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html:
+        * http/tests/xmlhttprequest/access-control-preflight-async-not-supported-expected.txt: Added.
+        * http/tests/xmlhttprequest/access-control-preflight-async-not-supported.html: Added.
+        * http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt:
+        * http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html:
+        * http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt:
+        * http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html:
+        * http/tests/xmlhttprequest/access-control-preflight-sync-not-supported-expected.txt: Added.
+        * http/tests/xmlhttprequest/access-control-preflight-sync-not-supported.html: Added.
+        * http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php:
+
 2010-07-08  Xiaomei Ji  <xji@chromium.org>
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin response header.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=header. Request header field X-NON-STANDARD is not allowed by Access-Control-Allow-Headers response header field.
 PASS: Request successfully blocked.
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html

@@ -8 +8 @@
 }
 
-if (window.layoutTestController) {
+if (window.layoutTestController)
     layoutTestController.dumpAsText();
-}
 
 (function() {
@@ -17 +16 @@
     try {
         xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
-        xhr.send("");
+        xhr.send(null);
     } catch(e) {
         log("FAIL: Unable to reset server state: [" + e.message + "].");
@@ -26 +25 @@
 
     try {
-        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=header", true);
         xhr.setRequestHeader("X-NON-STANDARD", "filler");
     } catch(e) {
@@ -33 +32 @@
     }
 
-    xhr.onreadystatechange = function() {
+    xhr.onerror = function() {
         xhr = new XMLHttpRequest();
 
@@ -39 +38 @@
             xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
             try {
-                xhr.send("");
+                xhr.send(null);
             } catch(e) {
                 log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
@@ -49 +48 @@
         log(xhr.responseText);
     }
+    
+    xhr.onreadystatechange = function() {
+        if (xhr.readyState == 4 && xhr.status == 200)
+            log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+    }
 
-    try {
-        xhr.send("");
-        log("FAIL: Cross-domain access allowed in first send without throwing an exception");
-        return;
-    } catch(e) {
-        // Eat the exception.
-    }
-   
+    xhr.send(null);
 })();
 </script>

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin response header.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=method. Method DELETE is not allowed by Access-Control-Allow-Methods response header field.
 PASS: Request successfully blocked.
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html

@@ -8 +8 @@
 }
 
-if (window.layoutTestController) {
+if (window.layoutTestController)
     layoutTestController.dumpAsText();
-}
 
 (function() {
@@ -17 +16 @@
     try {
         xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
-        xhr.send("");
+        xhr.send(null);
     } catch(e) {
         log("FAIL: Unable to reset server state: [" + e.message + "].");
@@ -26 +25 @@
 
     try {
-        xhr.open("DELETE", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+        xhr.open("DELETE", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=method", true);
     } catch(e) {
         log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
@@ -32 +31 @@
     }
 
-    xhr.onreadystatechange = function() {
+    xhr.onerror = function() {
         xhr = new XMLHttpRequest();
 
@@ -38 +37 @@
             xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
             try {
-                xhr.send("");
+                xhr.send(null);
             } catch(e) {
                 log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
@@ -49 +48 @@
     }
 
-    try {
-        xhr.send("");
-        log("FAIL: Cross-domain access allowed in first send without throwing an exception");
-        return;
-    } catch(e) {
-        // Eat the exception.
+    xhr.onreadystatechange = function() {
+        if (xhr.readyState == 4 && xhr.status == 200)
+            log("FAIL: Cross-domain access allowed in first send without throwing an exception");
     }
-   
+
+    xhr.send(null);
 })();
 </script>

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-not-supported.html

@@ -8 +8 @@
 }
 
-if (window.layoutTestController) {
+if (window.layoutTestController)
     layoutTestController.dumpAsText();
-}
 
 (function() {
@@ -17 +16 @@
     try {
         xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
-        xhr.send("");
+        xhr.send(null);
     } catch(e) {
         log("FAIL: Unable to reset server state: [" + e.message + "].");
@@ -26 +25 @@
 
     try {
-        xhr.open("DELETE", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+        xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", true);
     } catch(e) {
         log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
@@ -32 +31 @@
     }
 
-    xhr.onreadystatechange = function() {
+    xhr.onerror = function() {
         xhr = new XMLHttpRequest();
 
@@ -38 +37 @@
             xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
             try {
-                xhr.send("");
+                xhr.send(null);
             } catch(e) {
                 log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
@@ -49 +48 @@
     }
 
-    try {
-        xhr.send("");
-        log("FAIL: Cross-domain access allowed in first send without throwing an exception");
-        return;
-    } catch(e) {
-        // Eat the exception.
+    xhr.onreadystatechange = function() {
+        if (xhr.readyState == 4 && xhr.status == 200)
+            log("FAIL: Cross-domain access allowed in first send without throwing an exception");
     }
-   
+
+    xhr.send("");
 })();
 </script>

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin response header.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=header. Request header field X-NON-STANDARD is not allowed by Access-Control-Allow-Headers response header field.
 PASS: Request successfully blocked.
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html

@@ -8 +8 @@
 }
 
-if (window.layoutTestController) {
+if (window.layoutTestController)
     layoutTestController.dumpAsText();
-}
 
 (function() {
@@ -17 +16 @@
     try {
         xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
-        xhr.send("");
+        xhr.send(null);
     } catch(e) {
         log("FAIL: Unable to reset server state: [" + e.message + "].");
@@ -26 +25 @@
 
     try {
-        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=header", false);
         xhr.setRequestHeader("X-NON-STANDARD", "filler");
     } catch(e) {
@@ -34 +33 @@
 
     try {
-        xhr.send("");
+        xhr.send(null);
         log("FAIL: Cross-domain access allowed in first send without throwing an exception");
         return;
@@ -51 +50 @@
 
     try {
-        xhr.send("");
+        xhr.send(null);
     } catch(e) {
         log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin response header.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=method. Method DELETE is not allowed by Access-Control-Allow-Methods response header field.
 PASS: Request successfully blocked.
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html

@@ -8 +8 @@
 }
 
-if (window.layoutTestController) {
+if (window.layoutTestController)
     layoutTestController.dumpAsText();
-}
 
 (function() {
@@ -17 +16 @@
     try {
         xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
-        xhr.send("");
+        xhr.send(null);
     } catch(e) {
         log("FAIL: Unable to reset server state: [" + e.message + "].");
@@ -26 +25 @@
 
     try {
-        xhr.open("DELETE", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+        xhr.open("DELETE", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=method", false);
     } catch(e) {
         log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
@@ -33 +32 @@
 
     try {
-        xhr.send("");
+        xhr.send(null);
         log("FAIL: Cross-domain access allowed in first send without throwing an exception");
         return;
@@ -50 +49 @@
 
     try {
-        xhr.send("");
+        xhr.send(null);
     } catch(e) {
         log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-not-supported.html

@@ -8 +8 @@
 }
 
-if (window.layoutTestController) {
+if (window.layoutTestController)
     layoutTestController.dumpAsText();
-}
 
 (function() {
@@ -17 +16 @@
     try {
         xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
-        xhr.send("");
+        xhr.send(null);
     } catch(e) {
         log("FAIL: Unable to reset server state: [" + e.message + "].");
@@ -26 +25 @@
 
     try {
-        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
-        xhr.setRequestHeader("X-NON-STANDARD", "filler");
+        xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
     } catch(e) {
         log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
@@ -34 +32 @@
 
     try {
-        xhr.send("");
+        xhr.send(null);
         log("FAIL: Cross-domain access allowed in first send without throwing an exception");
         return;
@@ -51 +49 @@
 
     try {
-        xhr.send("");
+        xhr.send(null);
     } catch(e) {
         log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");

trunk/LayoutTests/http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php

@@ -9 +9 @@
     header("Access-Control-Allow-Credentials: true");
     header("Access-Control-Allow-Methods: GET");
-    header("Access-Control-Max-Age: 0");
+    header("Access-Control-Max-Age: 1");
     echo "FAILED: Issued a " . $_SERVER['REQUEST_METHOD'] . " request during state '" . $state . "'\n";
     exit();
@@ -33 +33 @@
     if (file_exists($tmpFile)) unlink($tmpFile);
     header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
-    header("Access-Control-Max-Age: 0");
+    header("Access-Control-Max-Age: 1");
     echo "Server state reset.\n";
 } else if ($state == "Uninitialized") {
     if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
-        echo("Request Denied\n");
+        if ($_GET['state'] == "method" || $_GET['state'] == "header") {
+            header("Access-Control-Allow-Methods: GET");
+            header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+            header("Access-Control-Max-Age: 1");
+        }
+        echo("FAIL: This request should not be displayed.\n");
         setState("Denied", $tmpFile);
     } else {
@@ -47 +52 @@
         unlink($tmpFile);
         header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
-        header("Access-Control-Max-Age: 0");
+        header("Access-Control-Max-Age: 1");
         echo "PASS: Request successfully blocked.\n";
     } else {