Working in my own submission directory to test null byte issues in headers, and updated VM instructions.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/origin-null.htm Thu May 02 14:32:56 2013 -0700
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Access-Control-Allow-Origin handling</title>
+<meta name=help href=http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Access-Control-Allow-Origin handling</h1>
+
+<div id=log></div>
+
+<script>
+
+/*
+ * Origin header
+ */
+function shouldFail(origin) {
+ test(function () {
+ var client = new XMLHttpRequest()
+ client.open('GET', CROSSDOMAIN
+ + '../opera/staging/resources/cors-makeheader.php?origin='
+ + encodeURIComponent(origin),
+ false)
+ assert_throws(null, function() { client.send() }, 'send')
+ }, 'Disallow origin: ' + origin.replace(/\0/g, "\\0"));
+}
+
+shouldFail(location.protocol + "//" + location.host + "\0")
+</script>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/resources/cors-makeheader.php Thu May 02 14:32:56 2013 -0700
@@ -0,0 +1,52 @@
+<?php
+
+$origin = isset($_GET['origin']) ? $_GET['origin'] : $_SERVER['HTTP_ORIGIN'];
+
+if ($origin != 'none')
+ header("Access-Control-Allow-Origin: $origin");
+if (isset($_GET['origin2']))
+ header("Access-Control-Allow-Origin: {$_GET['origin2']}", false);
+
+/* Preflight */
+if (isset($_GET['headers']))
+ header("Access-Control-Allow-Headers: {$_GET['headers']}");
+if (isset($_GET['credentials']))
+ header("Access-Control-Allow-Credentials: {$_GET['credentials']}");
+if (isset($_GET['methods']))
+ header("Access-Control-Allow-Methods: {$_GET['methods']}");
+
+$code = isset($_GET['code']) ? intval($_GET['code']) : null;
+if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' and isset($_GET['preflight']))
+ $code = intval($_GET['preflight']);
+
+if (isset($_GET['location']))
+{
+ if ($code === null)
+ $code = 302;
+
+ if ($code < 400 and $code > 299)
+ {
+ header("Location: {$_GET['location']}", true, $code);
+ die("Redirecting");
+ }
+}
+
+foreach ($_SERVER as $name => $value)
+{
+ if (substr($name, 0, 5) == 'HTTP_')
+ {
+ $name = strtolower(str_replace('_', '-', substr($name, 5)));
+ $headers[$name] = $value;
+ } else if ($name == "CONTENT_TYPE") {
+ $headers["content-type"] = $value;
+ } else if ($name == "CONTENT_LENGTH") {
+ $headers["content-length"] = $value;
+ }
+}
+
+$headers['get_value'] = isset($_GET['get_value']) ? $_GET['get_value'] : '';
+
+if ($code)
+ header("HTTP/1.1 {$code} StatusText");
+
+echo json_encode( $headers );
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/support.js Thu May 02 14:32:56 2013 -0700
@@ -0,0 +1,29 @@
+// For ignoring exception names (just for testing)
+/*
+_real_assert_throws = assert_throws;
+function assert_throws(d, func, desc) {
+ try {
+ func();
+ } catch(e) {
+ return true;
+ }
+ assert_unreached("Didn't throw!");
+}
+*/
+
+function dirname(path) {
+ return path.replace(/\/[^\/]*$/, '/')
+}
+
+/* This subdomain should point to this same location */
+var SUBDOMAIN = 'www1'
+var SUBDOMAIN2 = 'www2'
+var PORT = "81"
+var PORTS = "83" // w3c actually has no "alternate" https port
+
+/* Changes http://example.com/abc/def/cool.htm to http://www1.example.com/abc/def/ */
+var CROSSDOMAIN = dirname(location.href)
+ .replace('://', '://' + SUBDOMAIN + '.')
+var REMOTE_HOST = SUBDOMAIN + "." + location.host
+var REMOTE_PROTOCOL = location.protocol
+var REMOTE_ORIGIN = REMOTE_PROTOCOL + "//" + REMOTE_HOST