Mercurial > hg > webappsec / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset
adding test cases from webkit r102004
authorgraghava <gopal.1.raghavan@nokia.com>
Tue, 06 Dec 2011 13:43:40 -0500
changeset 11 efb1c7c42af7
parent 2 bcff57b2d504
child 12 cde48ddfd8a5
adding test cases from webkit r102004
tests/cors/access-control-and-redirects.html
tests/cors/access-control-basic-allow-access-control-origin-header-data-url.html
tests/cors/access-control-basic-allow-access-control-origin-header.html
tests/cors/access-control-basic-allow-async.html
tests/cors/access-control-basic-allow-preflight-cache-invalidation-by-header.html
tests/cors/access-control-basic-allow-preflight-cache-invalidation-by-method.html
tests/cors/access-control-basic-allow-preflight-cache-timeout.html
tests/cors/access-control-basic-allow-preflight-cache.html
tests/cors/access-control-basic-allow-star.html
tests/cors/access-control-basic-allow.html
tests/cors/access-control-basic-denied-preflight-cache.html
tests/cors/access-control-basic-denied.html
tests/cors/access-control-basic-get-fail-non-simple.html
tests/cors/access-control-basic-non-simple-allow-async.html
tests/cors/access-control-basic-non-simple-allow.html
tests/cors/access-control-basic-non-simple-deny-cached.html
tests/cors/access-control-basic-post-fail-non-simple-content-type.html
tests/cors/access-control-basic-whitelist-request-headers.html
tests/cors/access-control-basic-whitelist-response-headers.html
tests/cors/access-control-preflight-async-header-denied.html
tests/cors/access-control-preflight-async-method-denied.html
tests/cors/access-control-preflight-async-not-supported.html
tests/cors/access-control-preflight-credential-async.html
tests/cors/access-control-preflight-credential-sync.html
tests/cors/access-control-preflight-headers-async.html
tests/cors/access-control-preflight-headers-sync.html
tests/cors/access-control-preflight-sync-header-denied.html
tests/cors/access-control-preflight-sync-method-denied.html
tests/cors/access-control-preflight-sync-not-supported.html
tests/cors/access-control-response-with-body-sync.html
tests/cors/access-control-response-with-body.html
tests/cors/access-control-sandboxed-iframe-allow.html
tests/cors/access-control-sandboxed-iframe-denied-without-wildcard.html
tests/cors/access-control-sandboxed-iframe-denied.html
tests/cors/resources/.htaccess
tests/cors/resources/access-control-allow-with-body.php
tests/cors/resources/access-control-basic-allow-access-control-origin-header.cgi
tests/cors/resources/access-control-basic-allow-print-headers.cgi
tests/cors/resources/access-control-basic-allow-star.cgi
tests/cors/resources/access-control-basic-allow.cgi
tests/cors/resources/access-control-basic-denied.cgi
tests/cors/resources/access-control-basic-get-fail-non-simple.cgi
tests/cors/resources/access-control-basic-non-get-allow.cgi
tests/cors/resources/access-control-basic-options-not-supported.cgi
tests/cors/resources/access-control-basic-post-fail-non-simple.cgi
tests/cors/resources/access-control-basic-preflight-cache-invalidation.php
tests/cors/resources/access-control-basic-preflight-cache-timeout.php
tests/cors/resources/access-control-basic-preflight-cache.php
tests/cors/resources/access-control-basic-whitelist-request-headers.cgi
tests/cors/resources/access-control-basic-whitelist-response-headers.cgi
tests/cors/resources/access-control-preflight-denied-xsrf.php
tests/cors/resources/access-control-sandboxed-iframe-allow-iframe.html
tests/cors/resources/access-control-sandboxed-iframe-allow.cgi
tests/cors/resources/access-control-sandboxed-iframe-denied-iframe.html
tests/cors/resources/access-control-sandboxed-iframe-denied-without-wildcard-iframe.html
tests/cors/resources/access-control-sandboxed-iframe-denied-without-wildcard.cgi
tests/cors/resources/access-control-sandboxed-iframe-denied.cgi
tests/cors/resources/basic-auth/.svn/all-wcprops
tests/cors/resources/basic-auth/.svn/entries
tests/cors/resources/basic-auth/.svn/text-base/access-control-auth-basic.php.svn-base
tests/cors/resources/basic-auth/.svn/text-base/basic-auth.php.svn-base
tests/cors/resources/basic-auth/access-control-auth-basic.php
tests/cors/resources/basic-auth/basic-auth.php
tests/cors/resources/no-custom-header.php
tests/cors/resources/redirect.php 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-and-redirects.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,63 @@
+<p>Tests that redirects between origins are never allowed, even when access control is involved.</p>
+<p>Per the spec, these test cases should be allowed, but cross-origin redirects are currently unsupported in WebCore.</p>
+
+<pre id="console"></pre>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
+}
+
+function runTest(url, expectSyncSuccess, expectAsyncSuccess)
+{
+    log("Testing " + url + " (sync)");
+    log("Expecting success: " + expectSyncSuccess);
+
+    var req = new XMLHttpRequest();
+    req.open("GET", url, false);
+
+    try {
+        req.send(null);
+        log((expectSyncSuccess ? "PASS" : "FAIL") + ": " + req.responseText);
+    } catch (ex) {
+        log((expectSyncSuccess ? "FAIL" : "PASS") + ": " + ex);
+    }
+    
+    log("Testing " + url + "(async)");
+    log("Expecting success: " + expectAsyncSuccess);
+
+    req = new XMLHttpRequest();
+    req.open("GET", url, true);
+    req.onload = function() {
+        log((expectAsyncSuccess ? "PASS" : "FAIL") + ": " + req.responseText);
+        nextTest();
+    }
+    req.onerror = function() {
+        log((expectAsyncSuccess ? "FAIL" : "PASS") + ": " + req.status);
+        nextTest();
+    }
+    req.send(null);
+}
+
+var tests = [
+    ["/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false],
+    ["http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false],
+    ["http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false]
+]
+
+var currentTest = 0;
+
+function nextTest() {
+    if (currentTest < tests.length)
+        runTest.apply(null, tests[currentTest++]);
+    else if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+nextTest();
+</script>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-allow-access-control-origin-header-data-url.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,48 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+window.addEventListener("message", function(evt) {
+    if (evt.data == "done") {
+        layoutTestController.notifyDone();
+        return;
+    }
+
+    log(evt.data);
+}, false);
+</script>
+<iframe src='data:text/html,
+<script>
+(function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-access-control-origin-header.cgi", false);
+    } catch(e) {
+        parent.postMessage("FAIL: Exception thrown. Cross-domain access is not allowed in open. [" + e.message + "].", "*");
+        return;
+    }
+
+    try {
+        xhr.send();
+    } catch(e) {
+        parent.postMessage("FAIL: Exception thrown. Cross-domain access is not allowed in send. [" + e.message + "].", "*");
+        return;
+    }
+
+    parent.postMessage(xhr.responseText, "*");
+})();
+parent.postMessage("done", "*");
+</script>'>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-allow-access-control-origin-header.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,34 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-access-control-origin-header.cgi", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send();
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'send'. [" + e.message + "].");
+        return;
+    }
+
+    log(xhr.responseText);
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-allow-async.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,40 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function processStateChange()
+{
+    if (xhr.readyState == xhr.DONE) {
+        log(xhr.responseText);
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+}
+
+function errorHandler()
+{
+    log("FAIL: Network error.");
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+var xhr = new XMLHttpRequest;
+xhr.onreadystatechange = processStateChange;
+xhr.onerror = errorHandler;
+
+xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", true);
+xhr.send();
+
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-allow-preflight-cache-invalidation-by-header.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,74 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function errorHandler(event)
+{
+    log("FAIL: Network error. ");
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+var filename = "filename=preflightCacheInvalidationByHeader.txt";
+
+var xhr = new XMLHttpRequest;
+xhr.onerror = errorHandler;
+
+start = function()
+{
+    // Temp file removed.  We can start the test now.
+    if (xhr.readyState == xhr.DONE) {
+        firstRequest();
+    }
+}
+
+xhr.open("GET", "/resources/reset-temp-file.php?" + filename, true);
+xhr.onreadystatechange = start;
+xhr.send();
+
+function firstRequest()
+{
+    xhr.onreadystatechange = function()
+    {
+        if (xhr.readyState == xhr.DONE) {
+            log(xhr.responseText);
+            log("PASS: First request complete");
+            secondRequest();
+        }
+    }
+
+    xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-preflight-cache-invalidation.php?" + filename, true);
+    xhr.send();
+}
+
+function secondRequest()
+{
+    xhr.onreadystatechange = function()
+    {
+        if (xhr.readyState == xhr.DONE) {
+            log(xhr.responseText);
+            log("PASS: Second request complete");
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+    }
+
+    // Send a header not included in the inital cache. 
+    xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-preflight-cache-invalidation.php?" + filename, true);
+    xhr.setRequestHeader("x-webkit-test", "headerValue");
+    xhr.send();
+}
+
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-allow-preflight-cache-invalidation-by-method.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,73 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function errorHandler(event)
+{
+    log("FAIL: Network error. ");
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+var filename = "filename=preflightCacheInvalidationByMethod.txt";
+
+var xhr = new XMLHttpRequest;
+xhr.onerror = errorHandler;
+
+start = function()
+{
+    // Temp file removed.  We can start the test now.
+    if (xhr.readyState == xhr.DONE) {
+        firstRequest();
+    }
+}
+
+xhr.open("GET", "/resources/reset-temp-file.php?" + filename, true);
+xhr.onreadystatechange = start;
+xhr.send();
+
+function firstRequest()
+{
+    xhr.onreadystatechange = function()
+    {
+        if (xhr.readyState == xhr.DONE) {
+            log(xhr.responseText);
+            log("PASS: First request complete");
+            secondRequest();
+        }
+    }
+
+    xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-preflight-cache-invalidation.php?" + filename, true);
+    xhr.send();
+}
+
+function secondRequest()
+{
+    xhr.onreadystatechange = function()
+    {
+        if (xhr.readyState == xhr.DONE) {
+            log(xhr.responseText);
+            log("PASS: Second request complete");
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+    }
+
+    // Send a method not included in the initial cache.
+    xhr.open("XMETHOD", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-preflight-cache-invalidation.php?" + filename, true);
+    xhr.send();
+}
+
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-allow-preflight-cache-timeout.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,72 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function errorHandler(event)
+{
+    log("FAIL: Network error. ");
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+var filename = "filename=preflightCacheTimeout.txt";
+
+var xhr = new XMLHttpRequest;
+xhr.onerror = errorHandler;
+
+start = function()
+{
+    // Temp file removed.  We can start the test now.
+    if (xhr.readyState == xhr.DONE) {
+        firstRequest();
+    }
+}
+
+xhr.open("GET", "/resources/reset-temp-file.php?" + filename, true);
+xhr.onreadystatechange = start;
+xhr.send();
+
+function firstRequest()
+{
+    xhr.onreadystatechange = function()
+    {
+        if (xhr.readyState == xhr.DONE) {
+            log(xhr.responseText);
+            log("PASS: First request complete");
+            setTimeout(secondRequest, 3000); // 5 seconds
+        }
+    }
+
+    xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-preflight-cache-timeout.php?" + filename, true);
+    xhr.send();
+}
+
+function secondRequest()
+{
+    xhr.onreadystatechange = function()
+    {
+        if (xhr.readyState == xhr.DONE) {
+            log(xhr.responseText);
+            log("PASS: Second request complete")
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+    }
+
+    xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-preflight-cache-timeout.php?" + filename, true);
+    xhr.send();
+}
+
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-allow-preflight-cache.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,76 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function errorHandler(event)
+{
+    log("FAIL: Network error. ");
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+var filename = "filename=preflightCache.txt";
+
+var xhr = new XMLHttpRequest;
+xhr.onerror = errorHandler;
+
+start = function()
+{
+    // reset-temp-file.php reports an error on failure, for debugging problems with BuildBot setup.
+    if (xhr.responseText.length > 0)
+       log(xhr.responseText);
+
+    // Temp file removed.  We can start the test now.
+    if (xhr.readyState == xhr.DONE) {
+        firstRequest();
+    }
+}
+
+xhr.open("GET", "/resources/reset-temp-file.php?" + filename, true);
+xhr.onreadystatechange = start;
+xhr.send();
+
+function firstRequest()
+{
+    xhr.onreadystatechange = function()
+    {
+        if (xhr.readyState == xhr.DONE) {
+            log(xhr.responseText);
+            log("PASS: First request complete");
+            secondRequest();
+        }
+    }
+
+    xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-preflight-cache.php?" + filename, true);
+    xhr.send();
+}
+
+function secondRequest()
+{
+    xhr.onreadystatechange = function()
+    {
+        if (xhr.readyState == xhr.DONE) {
+            log(xhr.responseText);
+            log("PASS: Second request complete");
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+    }
+
+    xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-preflight-cache.php?" + filename, true);
+    xhr.send();
+}
+
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-allow-star.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,37 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send();
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'send'. [" + e.message + "].");
+        return;
+    }
+
+    log(xhr.responseText);
+})();
+
+if (window.layoutTestController)
+    layoutTestController.notifyDone();  
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-allow.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,37 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send();
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'send'. [" + e.message + "].");
+        return;
+    }
+
+    log(xhr.responseText);
+})();
+
+if (window.layoutTestController)
+    layoutTestController.notifyDone();  
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-denied-preflight-cache.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,39 @@
+<html>
+<body>
+<p>Test async xhr preflight cache denial.  If this test passes, there should be a single PASS below.</p>
+<script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+
+    var console_messages = document.createElement("ul");
+    document.body.appendChild(console_messages);
+
+    function log(message)
+    {
+        var item = document.createElement("li");
+        item.appendChild(document.createTextNode(message));
+        console_messages.appendChild(item);
+    }
+
+    xhr = new XMLHttpRequest;
+    xhr.onreadystatechange = processStateChange;
+    try {
+        xhr.open("FOO", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi");
+        xhr.send();
+    } catch (e) {
+        log("Got exception.");
+    }
+
+    function processStateChange() {
+        if (xhr.readyState == 1)
+            log("PASS");
+        else if (xhr.readyState == 4) {
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+    }
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-denied.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,34 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send();
+    } catch(e) {
+        log("PASS: Exception thrown. Cross-domain access was denied in 'send'. [" + e.message + "].");
+        return;
+    }
+
+    log(xhr.responseText);
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-get-fail-non-simple.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,38 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-get-fail-non-simple.cgi", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'open'. [" + e.message + "].");
+        return;
+    }
+
+    // Non-whitelisted method
+    xhr.setRequestHeader("x-webkit", "foobar");
+
+    // This is going to fail because the cgi script is not prepared for an OPTIONS request. 
+    try {
+        xhr.send();
+    } catch(e) {
+        log("PASS: Exception thrown. Cross-domain access was denied in 'send'. [" + e.message + "].");
+        return;
+    }
+
+    log(xhr.responseText);
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-non-simple-allow-async.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,41 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function processStateChange()
+{
+    if (xhr.readyState == xhr.DONE) {
+        log(xhr.responseText);
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+}
+
+function errorHandler()
+{
+    log("FAIL: Network error.");
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+var xhr = new XMLHttpRequest;
+xhr.onreadystatechange = processStateChange;
+xhr.onerror = errorHandler;
+
+xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-non-get-allow.cgi", true);
+xhr.setRequestHeader("Content-Type", "text/plain; charset=UTF-8");
+xhr.send("PASS: PUT data received");
+
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-non-simple-allow.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,36 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-non-get-allow.cgi", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'open'. [" + e.message + "].");
+        return;
+    }
+
+    xhr.setRequestHeader("Content-Type", "text/plain; charset=UTF-8");
+
+    try {
+        xhr.send("PASS: PUT data received");
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'send'. [" + e.message + "].");
+        return;
+    }
+
+    log(xhr.responseText);
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-non-simple-deny-cached.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,52 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-non-get-allow.cgi", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. PUT cross-domain access is not allowed in 'open'. [" + e.message + "].");
+        return;
+    }
+
+    xhr.setRequestHeader("Content-Type", "text/plain");
+
+    try {
+        xhr.send("PASS: PUT data received");
+    } catch(e) {
+        log("FAIL: Exception thrown. PUT cross-domain access is not allowed in 'send'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-non-get-allow.cgi", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. GET cross-domain access is not allowed in 'open'. [" + e.message + "].");
+        return;
+    }
+
+    xhr.setRequestHeader("Content-Type", "application/xml");
+
+    try {
+        xhr.send("FAIL: PUT data received");
+        log("FAIL: Exception not thrown. Cross-domain access was allowed, even though content type was not on white list.");
+        log(xhr.responseText);
+    } catch(e) {
+        log("PASS: Exception thrown. Cross-domain access is not allowed in 'send'. [" + e.message + "].");
+        return;
+    }
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-post-fail-non-simple-content-type.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,37 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var xhr = new XMLHttpRequest;
+
+(function() {
+    try {
+        xhr.open("POST", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-options-not-supported.cgi", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in 'open'. [" + e.message + "].");
+        return;
+    }
+    
+    // Content-Type is a simple header, but only if the type is one that could be sent via form submission already.
+    xhr.setRequestHeader("Content-Type", "application/xml");
+    
+    // This is going to fail because the cgi script is not prepared to serve an OPTIONS request.
+    try {
+        xhr.send(null);
+        log("FAIL: Cross-domain access was not denied in 'send'.");
+    } catch(e) {
+        log("PASS: Exception thrown. Cross-domain access was denied in 'send'. [" + e.message + "].");
+        return;
+    }
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-whitelist-request-headers.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,28 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    function log(message)
+    {
+        document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+    }
+
+    try {
+        var xhr = new XMLHttpRequest;
+        xhr.open("POST", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-whitelist-request-headers.cgi", false);
+        xhr.setRequestHeader("Accept", "*");
+        xhr.setRequestHeader("Accept-Language", "ru");
+        xhr.setRequestHeader("Content-Language", "ru");
+        xhr.setRequestHeader("Content-Type", "text/plain");
+        xhr.send("");
+    
+        log(xhr.responseText);
+    } catch (ex) {
+        log("Unexpected exception: " + ex);
+    }
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-basic-whitelist-response-headers.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,52 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    function log(message)
+    {
+        document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+    }
+
+    var xhr;
+
+    function testAllowed(name)
+    {
+        if (xhr.getResponseHeader(name))
+            log("PASS: Response header " + name + " allowed.");
+        else
+            log("FAIL: Response header " + name + " not allowed.");
+    }
+
+    function testDenied(name)
+    {
+        if (!xhr.getResponseHeader(name))
+            log("PASS: Response header " + name + " denied.");
+        else
+            log("FAIL: Response header " + name + " not denied.");
+    }
+
+
+    xhr = new XMLHttpRequest;
+    xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-basic-whitelist-response-headers.cgi", false);
+    xhr.send();
+
+    // Test getResponseHeader()
+    testAllowed("cache-control");
+    testAllowed("content-language");
+    testAllowed("content-type");
+    testAllowed("expires");
+    testAllowed("last-modified");
+    testAllowed("pragma");
+    testDenied("x-webkit");
+
+    // Test getAllResponseHeaders()
+    if (!xhr.getAllResponseHeaders().match("foobar"))
+        log("PASS: Non-whitelisted headers not passed to getAllResponseHeaders().");
+    else
+        log("FAIL: Non-whitelisted headers passed to getAllResponseHeaders().");
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-async-header-denied.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,64 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+(function() {
+    var xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+        xhr.send(null);
+    } catch(e) {
+        log("FAIL: Unable to reset server state: [" + e.message + "].");
+        return;
+    }
+
+    xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=header", true);
+        xhr.setRequestHeader("X-NON-STANDARD", "filler");
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+        return;
+    }
+
+    xhr.onerror = function() {
+        xhr = new XMLHttpRequest();
+
+        try {
+            xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+            try {
+                xhr.send(null);
+            } catch(e) {
+                log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+            }
+        } catch(e) {
+            log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+        }
+
+        log(xhr.responseText);
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+    
+    xhr.onreadystatechange = function() {
+        if (xhr.readyState == 4 && xhr.status == 200)
+            log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+    }
+
+    xhr.send(null);
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-async-method-denied.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,63 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+(function() {
+    var xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+        xhr.send(null);
+    } catch(e) {
+        log("FAIL: Unable to reset server state: [" + e.message + "].");
+        return;
+    }
+
+    xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("DELETE", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=method", true);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+        return;
+    }
+
+    xhr.onerror = function() {
+        xhr = new XMLHttpRequest();
+
+        try {
+            xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+            try {
+                xhr.send(null);
+            } catch(e) {
+                log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+            }
+        } catch(e) {
+            log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+        }
+
+        log(xhr.responseText);
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+
+    xhr.onreadystatechange = function() {
+        if (xhr.readyState == 4 && xhr.status == 200)
+            log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+    }
+
+    xhr.send(null);
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-async-not-supported.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,63 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+(function() {
+    var xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+        xhr.send(null);
+    } catch(e) {
+        log("FAIL: Unable to reset server state: [" + e.message + "].");
+        return;
+    }
+
+    xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", true);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+        return;
+    }
+
+    xhr.onerror = function() {
+        xhr = new XMLHttpRequest();
+
+        try {
+            xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+            try {
+                xhr.send(null);
+            } catch(e) {
+                log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+            }
+        } catch(e) {
+            log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+        }
+
+        log(xhr.responseText);
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+
+    xhr.onreadystatechange = function() {
+        if (xhr.readyState == 4 && xhr.status == 200)
+            log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+    }
+
+    xhr.send("");
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-credential-async.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,37 @@
+<html>
+<body>
+<p>Test case for bug <a href="https://bugs.webkit.org/show_bug.cgi?id=37781">37781</a>: [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR</p>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+try {
+    var xhr = new XMLHttpRequest;
+    xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php?uid=fooUser", false, "fooUser", "barPass");
+    xhr.onerror = function (e) {
+        log("FAILED: received error");
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    };
+    xhr.onreadystatechange = function () {
+        if (xhr.readyState == 4) {
+            log((xhr.status == 401) ? "PASSED" : "FAILED: credential send!");
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+    };
+    xhr.send();
+} catch(e) {
+    log("FAILED: got exception " + e.message);
+}
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-credential-sync.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,37 @@
+<html>
+<body>
+<p>Test case for bug <a href="https://bugs.webkit.org/show_bug.cgi?id=37781">37781</a>: [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR</p>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+try {
+    var xhr = new XMLHttpRequest;
+    xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php?uid=fooUser", false, "fooUser", "barPass");
+    xhr.onerror = function (e) {
+        log("FAILED: received error");
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    };
+    xhr.onreadystatechange = function () {
+        if (xhr.readyState == 4) {
+            log((xhr.status == 401) ? "PASSED" : "FAILED: credential send!");
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+    };
+    xhr.send();
+} catch(e) {
+    log("FAILED: got exception " + e.message);
+}
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-headers-async.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,35 @@
+<p>Test that custom headers are not sent with OPTIONS preflight request.</p>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function resetStatus()
+{
+    var req = new XMLHttpRequest;
+    req.open("GET", "/resources/reset-temp-file.php?filename=access-control-preflight-headers-status", false);
+    req.send();
+}
+
+function sendRequest()
+{
+    var req = new XMLHttpRequest;
+    req.open("GET", "http://localhost:8000/xmlhttprequest/resources/no-custom-header.php");
+    req.setRequestHeader("X-Custom-Header", "foobar");
+    req.onerror = function() {
+        document.body.appendChild(document.createTextNode("FAIL: onerror called"));
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+    req.onload = function() {
+        document.body.appendChild(document.createTextNode(req.responseText));
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+    req.send();
+}
+
+resetStatus();
+sendRequest();
+</script>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-headers-sync.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,28 @@
+<p>Test that custom headers are not sent with OPTIONS preflight request.</p>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function resetStatus()
+{
+    var req = new XMLHttpRequest;
+    req.open("GET", "/resources/reset-temp-file.php?filename=access-control-preflight-headers-status", false);
+    req.send();
+}
+
+function sendRequest()
+{
+    try {
+        var req = new XMLHttpRequest;
+        req.open("GET", "http://localhost:8000/xmlhttprequest/resources/no-custom-header.php", false);
+        req.setRequestHeader("X-Custom-Header", "foobar");
+        req.send();
+        document.write("<xmp>" + req.responseText + "</xmp>");
+    } catch (ex) {
+        document.write("<xmp>" + ex + "</xmp>");
+    }
+}
+
+resetStatus();
+sendRequest();
+</script>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-sync-header-denied.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,62 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+        xhr.send(null);
+    } catch(e) {
+        log("FAIL: Unable to reset server state: [" + e.message + "].");
+        return;
+    }
+
+    xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=header", false);
+        xhr.setRequestHeader("X-NON-STANDARD", "filler");
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send(null);
+        log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+        return;
+    } catch(e) {
+        // Eat the exception.
+    }
+
+    xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send(null);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+        return;
+    }
+
+    log(xhr.responseText);
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-sync-method-denied.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,61 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+        xhr.send(null);
+    } catch(e) {
+        log("FAIL: Unable to reset server state: [" + e.message + "].");
+        return;
+    }
+
+    xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("DELETE", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=method", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send(null);
+        log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+        return;
+    } catch(e) {
+        // Eat the exception.
+    }
+
+    xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send(null);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+        return;
+    }
+
+    log(xhr.responseText);
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-preflight-sync-not-supported.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,61 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+(function() {
+    var xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+        xhr.send(null);
+    } catch(e) {
+        log("FAIL: Unable to reset server state: [" + e.message + "].");
+        return;
+    }
+
+    xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send(null);
+        log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+        return;
+    } catch(e) {
+        // Eat the exception.
+    }
+
+    xhr = new XMLHttpRequest();
+
+    try {
+        xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+        return;
+    }
+
+    try {
+        xhr.send(null);
+    } catch(e) {
+        log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+        return;
+    }
+
+    log(xhr.responseText);
+})();
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-response-with-body-sync.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,24 @@
+<html>
+<body>
+<p>Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=36854">bug 36854<a>:
+Body from cross origin preflight response is prepended to the actual response body.</p>
+<div id=result>Running test...</div>
+<script>
+
+  if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+  window.onload = function() {
+      var xhr = new XMLHttpRequest();
+       xhr.open("GET","http://localhost:8000/xmlhttprequest/resources/access-control-allow-with-body.php", false);
+       xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+       xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
+       xhr.send(null);
+
+       document.getElementById("result").innerHTML = (xhr.responseText == "echo") ? "PASS" : ("FAIL: " + xhr.responseText);
+  };
+  
+</script>
+
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-response-with-body.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,32 @@
+<html>
+<body>
+<p>Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=36854">bug 36854<a>:
+Body from cross origin preflight response is prepended to the actual response body.</p>
+<div id=result>Running test...</div>
+<script>
+
+  if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+  }
+
+  window.onload = function() {
+      var xhr = new XMLHttpRequest();
+      xhr.onreadystatechange=function() {
+        if (xhr.readyState==4) {
+          document.getElementById("result").innerHTML = (xhr.responseText == "echo") ? "PASS" : ("FAIL: " + xhr.responseText);
+          if (window.layoutTestController)
+            layoutTestController.notifyDone();
+        }
+       };
+
+       xhr.open("GET","http://localhost:8000/xmlhttprequest/resources/access-control-allow-with-body.php");
+       xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+       xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
+       xhr.send(null);
+  };
+  
+</script>
+
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-sandboxed-iframe-allow.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,18 @@
+<html>
+<script>
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+}
+
+</script>
+<body>
+    <p>This test verifies that sandboxed iframe has XmlHttpRequest access
+    to the server that accepts all domains. It will print &quot;PASS&quot; on success.</p>
+    
+    <iframe sandbox="allow-scripts" src="http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-iframe.html" style="width: 500px;">
+    </iframe> 
+    
+</body> 
+</html> 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-sandboxed-iframe-denied-without-wildcard.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,22 @@
+<html>
+<script>
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+}
+
+</script>
+<body>
+
+    <p>This test verifies that sandboxed iframe does not have XmlHttpRequest access to
+    its server with "Access-Control-Allow-Origin" set to its own origin (127.0.0.1).</p>
+    
+    <p>This test will print &quot;PASS&quot; on success.</p>
+
+    <iframe sandbox="allow-scripts"
+            src="http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-without-wildcard-iframe.html" style="width: 500px;">
+    </iframe>
+    
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/access-control-sandboxed-iframe-denied.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,19 @@
+<html> 
+<script>
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+}
+
+</script>
+
+<body> 
+    <p>This test verifies that sandboxed iframe does not have XmlHttpRequest access
+    to its server. It will print &quot;PASS&quot; on success.</p>
+    
+    <iframe sandbox="allow-scripts"
+            src="http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-iframe.html" style="width: 500px;">
+    </iframe> 
+</body> 
+</html> 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/.htaccess	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,12 @@
+<Files "reply2.txt">
+AddCharset windows-1251 .txt
+</Files>
+<Files "reply4.txt">
+AddCharset koi8-r .txt
+</Files>
+<Files "reply2.xml">
+AddCharset windows-1251 .xml
+</Files>
+<Files "noContentType.asis">
+DefaultType None
+</Files>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-allow-with-body.php	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,10 @@
+<?php
+    header("Access-control-allow-headers: X-Requested-With");
+    header("Access-control-max-age: 0");
+    header("Access-control-allow-origin: *");
+    header("Access-control-allow-methods: *");
+    header("Vary: Accept-Encoding");
+    header("Content-Type: text/plain");
+
+    print "echo"
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-allow-access-control-origin-header.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,9 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n";
+print "Cache-Control: no-cache, no-store\n";
+print "Access-Control-Allow-Origin: *\n\n";
+
+print "PASS: Cross-domain access allowed.\n";
+print "HTTP_ORIGIN: " . $ENV{"HTTP_ORIGIN"} . "\n";
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-allow-print-headers.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,12 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n";
+print "Cache-Control: no-store\n";
+print "Access-Control-Allow-Origin: *\n\n";
+
+foreach (keys %ENV) {
+    if ($_ =~ "HTTP_") {
+        print $_ . ": " . $ENV{$_} . "\n";
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-allow-star.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,7 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n";
+print "Access-Control-Allow-Origin: *\n\n";
+
+print "PASS: Cross-domain access allowed.\n";
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-allow.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,8 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n";
+print "Access-Control-Allow-Credentials: true\n";
+print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
+
+print "PASS: Cross-domain access allowed.\n";
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-denied.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,6 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n\n";
+
+print "FAIL: Cross-domain access allowed.\n";
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-get-fail-non-simple.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,11 @@
+#!/usr/bin/perl -wT
+use strict;
+
+my $request;
+
+if ($ENV{'REQUEST_METHOD'} eq "GET") {
+    print "Content-Type: text/plain\n";
+    print "Access-Control-Allow-Credentials: true\n";
+    print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
+    print "FAIL: Cross-domain access allowed.\n";
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-non-get-allow.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,22 @@
+#!/usr/bin/perl -wT
+use strict;
+
+my $request;
+
+if ($ENV{'REQUEST_METHOD'} eq "OPTIONS") {
+    print "Content-Type: text/plain\n";
+    print "Access-Control-Allow-Credentials: true\n";
+    print "Access-Control-Allow-Methods: PUT\n";
+    print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
+} elsif ($ENV{'REQUEST_METHOD'} eq "PUT") {
+    print "Content-Type: text/plain\n";
+    print "Access-Control-Allow-Credentials: true\n";
+    print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
+
+    print "PASS: Cross-domain access allowed.\n";
+    read(STDIN, $request, $ENV{'CONTENT_LENGTH'}) || die "Could not read in content.\n";
+    print $request;
+} else {
+    print "Content-Type: text/plain\n\n";
+    print "Wrong method: " . $ENV{'REQUEST_METHOD'} . "\n";
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-options-not-supported.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,12 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Cache-Control: no-store\n";
+
+# Allow simple requests, but deny preflight.
+if ($ENV{'REQUEST_METHOD'} ne "OPTIONS") {
+    print "Access-Control-Allow-Credentials: true\n";
+    print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n";
+}
+
+print "\n";
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-post-fail-non-simple.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,11 @@
+#!/usr/bin/perl -wT
+use strict;
+
+my $request;
+
+if ($ENV{'REQUEST_METHOD'} eq "POST") {
+    print "Content-Type: text/plain\n";
+    print "Access-Control-Allow-Credentials: true\n";
+    print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
+    print "FAIL: Cross-domain access allowed.\n";
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-preflight-cache-invalidation.php	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,73 @@
+<?php
+require_once '../../resources/portabilityLayer.php';
+
+$tmpFile = sys_get_temp_dir() . "/" . $_GET['filename'];
+
+function fail()
+{
+    header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+    header("Access-Control-Allow-Credentials: true");
+    header("Access-Control-Allow-Methods: PUT");
+    header("Access-Control-Allow-Headers: x-webkit-test");
+    echo "FAIL: " . $_SERVER['REQUEST_METHOD'] . "\n";
+    exit();
+}
+
+function setState($newState, $file)
+{
+    file_put_contents($file, $newState);
+}
+
+function getState($file)
+{
+    if (!file_exists($file)) {
+        return "Uninitialized";
+    }
+    return file_get_contents($file);
+}
+
+$state = getState($tmpFile);
+
+if ($state == "Uninitialized") {
+    if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        header("Access-Control-Allow-Methods: PUT");
+        header("Access-Control-Max-Age: 10"); // 10 seconds
+        setState("OptionsSent", $tmpFile);
+    } else {
+        fail();
+    }
+} else if ($state == "OptionsSent") {
+    if ($_SERVER['REQUEST_METHOD'] == "PUT") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        echo "PASS: First PUT request.";
+        setState("FirstPUTSent", $tmpFile);
+    } else {
+        fail();
+    }
+} else if ($state == "FirstPUTSent") {
+    if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        header("Access-Control-Allow-Methods: PUT, XMETHOD");
+        header("Access-Control-Allow-Headers: x-webkit-test");
+        setState("SecondOPTIONSSent", $tmpFile);
+    } else if ($_SERVER['REQUEST_METHOD'] == "PUT") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        echo "FAIL: Second PUT request sent without preflight";
+    }
+} else if ($state == "SecondOPTIONSSent") {
+    if ($_SERVER['REQUEST_METHOD'] == "PUT" || $_SERVER['REQUEST_METHOD'] == "XMETHOD") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        echo "PASS: Second OPTIONS request was sent.";
+    } else {
+        fail();
+    }
+} else {
+    fail();
+}
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-preflight-cache-timeout.php	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,74 @@
+<?php
+require_once '../../resources/portabilityLayer.php';
+
+$tmpFile = sys_get_temp_dir() . "/" . $_GET['filename'];
+
+function fail()
+{
+    header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+    header("Access-Control-Allow-Credentials: true");
+    header("Access-Control-Allow-Methods: PUT");
+    header("Access-Control-Allow-Headers: x-webkit-test");
+    echo "FAIL: " . $_SERVER['REQUEST_METHOD'] . "\n";
+    exit();
+}
+
+function setState($newState, $file)
+{
+    file_put_contents($file, $newState);
+}
+
+function getState($file)
+{
+    if (!file_exists($file)) {
+        return "Uninitialized";
+    }
+    return file_get_contents($file);
+}
+
+$state = getState($tmpFile);
+
+if ($state == "Uninitialized") {
+    if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        header("Access-Control-Allow-Methods: PUT");
+        header("Access-Control-Allow-Headers: x-webkit-test");
+        header("Access-Control-Max-Age: 1"); // 1 second
+        setState("OptionsSent", $tmpFile);
+    } else {
+        fail();
+    }
+} else if ($state == "OptionsSent") {
+    if ($_SERVER['REQUEST_METHOD'] == "PUT") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        echo "PASS: First PUT request.";
+        setState("FirstPUTSent", $tmpFile);
+    } else {
+        fail();
+    }
+} else if ($state == "FirstPUTSent") {
+    if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        header("Access-Control-Allow-Methods: PUT");
+        header("Access-Control-Allow-Headers: x-webkit-test");
+        setState("SecondOPTIONSSent", $tmpFile);
+    } else if ($_SERVER['REQUEST_METHOD'] == "PUT") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        echo "FAIL: Second PUT request sent without preflight";
+    }
+} else if ($state == "SecondOPTIONSSent") {
+    if ($_SERVER['REQUEST_METHOD'] == "PUT") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        echo "PASS: Second OPTIONS request was sent.";
+    } else {
+        fail();
+    }
+} else {
+    fail();
+}
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-preflight-cache.php	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,74 @@
+<?php
+require_once '../../resources/portabilityLayer.php';
+
+$tmpFile = sys_get_temp_dir() . "/" . $_GET['filename'];
+
+function fail()
+{
+    header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+    header("Access-Control-Allow-Credentials: true");
+    header("Access-Control-Allow-Methods: PUT");
+    header("Access-Control-Allow-Headers: x-webkit-test");
+    echo "FAIL: " . $_SERVER['REQUEST_METHOD'] . "\n";
+    exit();
+}
+
+function setState($newState, $file)
+{
+    file_put_contents($file, $newState);
+}
+
+function getState($file)
+{
+    if (!file_exists($file)) {
+        return "Uninitialized";
+    }
+    return file_get_contents($file);
+}
+
+$state = getState($tmpFile);
+
+if ($state == "Uninitialized") {
+    if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        header("Access-Control-Allow-Methods: PUT");
+        header("Access-Control-Allow-Headers: x-webkit-test");
+        header("Access-Control-Max-Age: 10"); // 10 seconds
+        setState("OptionsSent", $tmpFile);
+    } else {
+        fail();
+    }
+} else if ($state == "OptionsSent") {
+    if ($_SERVER['REQUEST_METHOD'] == "PUT") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        echo "PASS: First PUT request.";
+        setState("FirstPUTSent", $tmpFile);
+    } else {
+        fail();
+    }
+} else if ($state == "FirstPUTSent") {
+    if ($_SERVER['REQUEST_METHOD'] == "PUT") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        echo "PASS: Second PUT request.  Preflight worked";
+    } else if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        header("Access-Control-Allow-Methods: PUT");
+        header("Access-Control-Allow-Headers: x-webkit-test");
+        setState("FAILSecondOPTIONSSent", $tmpFile);
+    }
+} else if ($state == "FAILSecondOPTIONSSent") {
+    if ($_SERVER['REQUEST_METHOD'] == "PUT") {
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Allow-Credentials: true");
+        echo "FAIL: Second OPTIONS request was sent.  Preflight failed";
+    } else {
+        fail();
+    }
+} else {
+    fail();
+}
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-whitelist-request-headers.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,17 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Cache-Control: no-store\n";
+
+# This should be a simple request, deny preflight.
+if ($ENV{'REQUEST_METHOD'} eq "POST") {
+    print "Access-Control-Allow-Credentials: true\n";
+    print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
+
+    print "Accept: $ENV{'HTTP_ACCEPT'}\n";
+    print "Accept-Language: $ENV{'HTTP_ACCEPT_LANGUAGE'}\n";
+    print "Content-Language: $ENV{'HTTP_CONTENT_LANGUAGE'}\n";
+    print "Content-Type: $ENV{'CONTENT_TYPE'}\n";
+} else {
+    print "\n";
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-basic-whitelist-response-headers.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,17 @@
+#!/usr/bin/perl -wT
+use strict;
+
+# in whitelist
+print "content-type: text/plain\n";
+print "cache-control: no cache\n";
+print "content-language: en\n";
+print "expires: Fri, 30 Oct 1998 14:19:41 GMT\n";
+print "last-modified: Tue, 15 Nov 1994 12:45:26 GMT\n";
+print "pragma: no-cache\n";
+
+# not in whitelist
+print "x-webkit: foobar\n";
+
+print "Access-Control-Allow-Origin: *\n\n";
+
+print "PASS: Cross-domain access allowed.\n";
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-preflight-denied-xsrf.php	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,67 @@
+<?php
+require_once '../../resources/portabilityLayer.php';
+
+$tmpFile = sys_get_temp_dir() . "/xsrf.txt";
+
+function fail($state)
+{
+    header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+    header("Access-Control-Allow-Credentials: true");
+    header("Access-Control-Allow-Methods: GET");
+    header("Access-Control-Max-Age: 1");
+    echo "FAILED: Issued a " . $_SERVER['REQUEST_METHOD'] . " request during state '" . $state . "'\n";
+    exit();
+}
+
+function setState($newState, $file)
+{
+    file_put_contents($file, $newState);
+}
+
+function getState($file)
+{
+    $state = NULL;
+    if (file_exists($file))
+        $state = file_get_contents($file);
+    return $state ? $state : "Uninitialized";
+}
+
+$state = getState($tmpFile);
+
+if ($_SERVER['REQUEST_METHOD'] == "GET" 
+    && $_GET['state'] == "reset") {
+    if (file_exists($tmpFile)) unlink($tmpFile);
+    header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+    header("Access-Control-Max-Age: 1");
+    echo "Server state reset.\n";
+} else if ($state == "Uninitialized") {
+    if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
+        if ($_GET['state'] == "method" || $_GET['state'] == "header") {
+            header("Access-Control-Allow-Methods: GET");
+            header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+            header("Access-Control-Max-Age: 1");
+        }
+        echo("FAIL: This request should not be displayed.\n");
+        setState("Denied", $tmpFile);
+    } else {
+        fail($state);
+    }
+} else if ($state == "Denied") {
+    if ($_SERVER['REQUEST_METHOD'] == "GET" 
+        && $_GET['state'] == "complete") {
+        unlink($tmpFile);
+        header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+        header("Access-Control-Max-Age: 1");
+        echo "PASS: Request successfully blocked.\n";
+    } else {
+        setState("Deny Ignored", $tmpFile);
+        fail($state);
+    }
+} else if ($state == "Deny Ignored") {
+    unlink($tmpFile);
+    fail($state);
+} else {
+    if (file_exists($tmpFile)) unlink($tmpFile);
+    fail("Unknown");
+}
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-sandboxed-iframe-allow-iframe.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,25 @@
+<html> 
+<body> 
+<pre id='console'></pre> 
+<script type="text/javascript"> 
+
+document.getElementById('console').innerHTML = (function() { 
+    var xhr = new XMLHttpRequest; 
+ 
+    try { 
+        xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-allow.cgi", false); 
+    } catch(e) { 
+        return "FAIL: Exception thrown. Sandboxed iframe XHR access is not allowed in 'open'. [" + e.message + "]."; 
+    } 
+ 
+    try { 
+        xhr.send(); 
+    } catch(e) { 
+        return "FAIL: Exception thrown. Sandboxed iframe XHR access is not allowed in 'send'. [" + e.message + "]."; 
+    } 
+ 
+    return xhr.responseText; 
+})(); 
+</script> 
+</body> 
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-sandboxed-iframe-allow.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,8 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n";
+print "Access-Control-Allow-Credentials: true\n";
+print "Access-Control-Allow-Origin: *\n\n";
+
+print "PASS: Sandboxed iframe XHR access allowed.\n";
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-sandboxed-iframe-denied-iframe.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,27 @@
+<html> 
+<body> 
+<pre id='console'></pre> 
+<script type="text/javascript"> 
+
+document.getElementById('console').innerHTML = (function() {
+    var xhr = new XMLHttpRequest; 
+ 
+ 
+    try { 
+        xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-denied.cgi", false); 
+    } catch(e) { 
+        return "FAIL: Exception thrown. Sandboxed iframe XHR access is not allowed in 'open'. [" + e.message + "]."; 
+    } 
+ 
+    try { 
+        xhr.send(); 
+    } catch(e) { 
+        return "PASS: Exception thrown. Sandboxed iframe XHR access was denied in 'send'. [" + e.message + "]."; 
+    }
+ 
+    return xhr.responseText; 
+})();
+  
+</script> 
+</body> 
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-sandboxed-iframe-denied-without-wildcard-iframe.html	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,26 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+
+document.getElementById('console').innerHTML = (function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-without-wildcard.cgi", false);
+    } catch(e) {
+        return "FAIL: Exception thrown. Sandboxed iframe XHR access is not allowed in 'open'. [" + e.message + "].";
+    }
+
+    try {
+        xhr.send();
+    } catch(e) {
+        return "PASS: Exception thrown. Sandboxed iframe XHR access was denied in 'send'. [" + e.message + "].";
+    }
+
+    return xhr.responseText;
+})();
+
+</script>
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-sandboxed-iframe-denied-without-wildcard.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,8 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n";
+print "Access-Control-Allow-Credentials: true\n";
+print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
+
+print "FAIL: Sandboxed iframe XHR access allowed.\n";
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/access-control-sandboxed-iframe-denied.cgi	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,6 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n\n";
+
+print "FAIL: Sandboxed iframe XHR access allowed.\n";
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/basic-auth/.svn/all-wcprops	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,17 @@
+K 25
+svn:wc:ra_dav:version-url
+V 98
+/repository/webkit/!svn/ver/58409/trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth
+END
+access-control-auth-basic.php
+K 25
+svn:wc:ra_dav:version-url
+V 128
+/repository/webkit/!svn/ver/58409/trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php
+END
+basic-auth.php
+K 25
+svn:wc:ra_dav:version-url
+V 113
+/repository/webkit/!svn/ver/24227/trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/basic-auth.php
+END
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/basic-auth/.svn/entries	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,96 @@
+10
+
+dir
+102004
+http://svn.webkit.org/repository/webkit/trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth
+http://svn.webkit.org/repository/webkit
+
+
+
+2010-04-28T16:29:22.915186Z
+58409
+jchaffraix@webkit.org
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+access-control-auth-basic.php
+file
+
+
+
+
+2011-11-14T21:09:08.417946Z
+1342b2f90905a7f1b2fa19ac807a00af
+2010-04-28T16:29:22.915186Z
+58409
+jchaffraix@webkit.org
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+630
+
+basic-auth.php
+file
+
+
+
+
+2011-11-14T21:09:08.417946Z
+a82ea42c784b9b663e54196755ab7112
+2007-07-12T04:17:17.612601Z
+24227
+ap
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+377
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/basic-auth/.svn/text-base/access-control-auth-basic.php.svn-base	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,17 @@
+<?php
+
+header("Access-Control-Allow-Origin: http://127.0.0.1:8000/");
+header("Access-Control-Allow-Credentials: true");
+header("Access-Control-Allow-Methods: PUT");
+
+if ($_SERVER['REQUEST_METHOD'] != "OPTIONS") {
+    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_REQUEST['uid']) || ($_REQUEST['uid'] != $_SERVER['PHP_AUTH_USER'])) {
+        header('WWW-Authenticate: Basic realm="WebKit Test Realm/Cross Origin"');
+        header('HTTP/1.0 401 Unauthorized');
+        echo 'Authentication canceled';
+        exit;
+    } else {
+        echo "User: {$_SERVER['PHP_AUTH_USER']}, password: {$_SERVER['PHP_AUTH_PW']}.";
+    }
+}
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/basic-auth/.svn/text-base/basic-auth.php.svn-base	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,10 @@
+<?php
+  if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_REQUEST['uid']) || ($_REQUEST['uid'] != $_SERVER['PHP_AUTH_USER'])) {
+   header('WWW-Authenticate: Basic realm="WebKit Test Realm"');
+   header('HTTP/1.0 401 Unauthorized');
+   echo 'Authentication canceled';
+   exit;
+  } else {
+   echo "User: {$_SERVER['PHP_AUTH_USER']}, password: {$_SERVER['PHP_AUTH_PW']}.";
+  }
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/basic-auth/access-control-auth-basic.php	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,17 @@
+<?php
+
+header("Access-Control-Allow-Origin: http://127.0.0.1:8000/");
+header("Access-Control-Allow-Credentials: true");
+header("Access-Control-Allow-Methods: PUT");
+
+if ($_SERVER['REQUEST_METHOD'] != "OPTIONS") {
+    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_REQUEST['uid']) || ($_REQUEST['uid'] != $_SERVER['PHP_AUTH_USER'])) {
+        header('WWW-Authenticate: Basic realm="WebKit Test Realm/Cross Origin"');
+        header('HTTP/1.0 401 Unauthorized');
+        echo 'Authentication canceled';
+        exit;
+    } else {
+        echo "User: {$_SERVER['PHP_AUTH_USER']}, password: {$_SERVER['PHP_AUTH_PW']}.";
+    }
+}
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/basic-auth/basic-auth.php	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,10 @@
+<?php
+  if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_REQUEST['uid']) || ($_REQUEST['uid'] != $_SERVER['PHP_AUTH_USER'])) {
+   header('WWW-Authenticate: Basic realm="WebKit Test Realm"');
+   header('HTTP/1.0 401 Unauthorized');
+   echo 'Authentication canceled';
+   exit;
+  } else {
+   echo "User: {$_SERVER['PHP_AUTH_USER']}, password: {$_SERVER['PHP_AUTH_PW']}.";
+  }
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/no-custom-header.php	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,34 @@
+<?php
+require_once '../../resources/portabilityLayer.php';
+
+$stateFile = sys_get_temp_dir() . "/access-control-preflight-headers-status";
+
+function setState($newState, $file)
+{
+    file_put_contents($file, $newState);
+}
+
+function getState($file)
+{
+    if (!file_exists($file)) {
+        return "";
+    }
+    return file_get_contents($file);
+}
+
+header("Access-Control-Allow-Origin: *");
+header("Access-Control-Allow-Headers: X-Custom-Header");
+header("Access-Control-Max-Age: 0");
+
+if ($_SERVER["REQUEST_METHOD"] == "OPTIONS") {
+    if (isset($_SERVER["HTTP_X_CUSTOM_HEADER"]))
+        setState("FAIL", $stateFile);
+    else
+        setState("PASS", $stateFile);
+} else {
+    if (isset($_SERVER["HTTP_X_CUSTOM_HEADER"]))
+        echo getState($stateFile);
+    else
+        echo "FAIL - no header in actual request";
+}
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/resources/redirect.php	Tue Dec 06 13:43:40 2011 -0500
@@ -0,0 +1,4 @@
+<?php
+    $url = $_GET['url'];
+    header("Location: $url");
+?>
webappsec

Hosted by W3C Systems Team, please report bugs to sysreq@w3.org