Opera CORS: Add some extra allow-origin checks
authorOdin Hørthe Omdal <odinho@opera.com>
Fri, 08 Jun 2012 15:59:14 +0200
changeset 68 82bd29f4aafe
parent 67 4dbb372543f8
child 69 4b57a1048bb6
Opera CORS: Add some extra allow-origin checks
tests/cors/submitted/opera/staging/origin.htm
tests/cors/submitted/opera/staging/resources/cors-makeheader.php
--- a/tests/cors/submitted/opera/staging/origin.htm	Fri Jun 08 09:28:29 2012 +0200
+++ b/tests/cors/submitted/opera/staging/origin.htm	Fri Jun 08 15:59:14 2012 +0200
@@ -73,6 +73,7 @@
 shouldFail("'*'")
 shouldFail('"*"')
 shouldFail("* *")
+shouldFail("* null")
 shouldFail("*" + location.protocol + "//" + "*")
 shouldFail("*" + location.protocol + "//" + location.host)
 shouldFail("* " + location.protocol + "//" + location.host)
@@ -81,11 +82,34 @@
 shouldFail("null " + location.protocol + "//" + location.host)
 shouldFail('http://example.net')
 shouldFail('null')
+shouldFail('null *')
 shouldFail('')
 shouldFail(location.href)
 shouldFail(dirname(location.href))
 shouldFail(CROSSDOMAIN)
 shouldFail(location.host.replace(/^[^\.]+\./, ""))
 shouldFail("." + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("*." + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("http://" + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("http://." + location.host.replace(/^[^\.]+\./, ""))
+shouldFail("http://*." + location.host.replace(/^[^\.]+\./, ""))
+
+function doubleOrigin(origin, origin2) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin)
+                            + 'origin2=' + encodeURIComponent(origin2),
+                    false)
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Disallow multiple headers (' + origin + ', ' + origin2 + ')');
+}
+
+doubleOrigin('', '*');
+doubleOrigin('*', '*');
+doubleOrigin('', location.protocol + "//" + location.host);
+doubleOrigin('*', location.protocol + "//" + location.host);
+doubleOrigin(location.protocol + "//" + location.host, location.protocol + "//" + location.host);
 
 </script>
--- a/tests/cors/submitted/opera/staging/resources/cors-makeheader.php	Fri Jun 08 09:28:29 2012 +0200
+++ b/tests/cors/submitted/opera/staging/resources/cors-makeheader.php	Fri Jun 08 15:59:14 2012 +0200
@@ -4,6 +4,8 @@
 
 if ($origin != 'none')
     header("Access-Control-Allow-Origin: $origin");
+if (isset($_GET['origin2']))
+    header("Access-Control-Allow-Origin: {$_GET['origin2']}", false);
 
 /* Preflight */
 if (isset($_GET['headers']))