Move CORS tests from webapps to webappsec..
Also make use of sys_get_temp_dir() so that the webserver can create a file
to persist data for testing preflight transactions.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORSServer.php Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,250 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+
+//====================================================
+// START OF TESTS
+//====================================================
+
+//Get Test ID
+$TestID = intval($_GET["TestID"]);
+
+if($TestID === 1) //1. Basic Cross-Origin Test - Allowed (*)
+{
+ addHeader("Access-Control-Allow-Origin", "*");
+ print("test");
+}
+else if ($TestID === 2) //2. Basic Cross-Origin Test - Allowed (matching origin)
+{
+ $origin = "" . $_SERVER["HTTP_ORIGIN"];
+ addHeader("Access-Control-Allow-Origin", $origin);
+ print("test");
+}
+else if ($TestID === 3) //3. Basic Cross-Origin Test - Disallowed (non-matching origin)
+{
+ addHeader("Access-Control-Allow-Origin", "http://example.com/");
+ print("test");
+}
+else if ($TestID === 4) //4. Basic Cross-Origin Test - Disallowed (Access-Control-Allow-Origin header not given)
+{
+ print("test");
+}
+else if ($TestID === 5) //5. Preflight wiith correct "Access-Control-Request-Method" sent for a Non-simple Method
+{
+ addHeader("Access-Control-Allow-Origin", "*");
+ if(isPreflight())
+ {
+ addHeader("Access-Control-Allow-Methods", "OPTIONS");
+ $requestMethod = "" . $_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"];
+ $result = "fail";
+ if(strtolower($requestMethod) === "options")
+ {
+ $result = "pass";
+ }
+ writePersistantData($result);
+ }
+ else
+ {
+ $data = retrievePersistantData();
+ if($data !== null)
+ {
+ print($data);
+ }
+ else
+ {
+ print("fail");
+ }
+ }
+}
+else if ($TestID === 6) //6. Preflight Sent for a non-simple header - With correct "Access-Control-Request-Headers"
+{
+ addHeader("Access-Control-Allow-Origin", "*");
+ if(isPreflight())
+ {
+ addHeader("Access-Control-Allow-Headers", "x-test");
+ addHeader("Access-Control-Allow-Methods", "OPTIONS");
+
+ $requeestHeaders = "" . $_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"];
+ $result = "fail";
+ if(stripos($requeestHeaders, "x-test") !== false)
+ {
+ $result = "pass";
+ }
+ writePersistantData($result);
+ }
+ else
+ {
+ $data = retrievePersistantData();
+ if($data !== null)
+ {
+ print($data);
+ }
+ else
+ {
+ print("fail");
+ }
+ }
+}
+else if ($TestID === 7) //7. Author Request Headers do not appear in preflight
+{
+ addHeader("Access-Control-Allow-Origin", "*");
+ if(isPreflight())
+ {
+ addHeader("Access-Control-Allow-Headers", "x-test");
+ addHeader("Access-Control-Allow-Methods", "OPTIONS");
+
+ $result = "fail";
+ if($_SERVER["HTTP_X_TEST"] === null)
+ {
+ $result = "pass";
+ }
+ writePersistantData($result);
+ }
+ else
+ {
+ $data = retrievePersistantData();
+ if($data !== null)
+ {
+ print($data);
+ }
+ else
+ {
+ print("fail");
+ }
+ }
+}
+else if ($TestID === 8) //8. "Cookie" Header not sent if withCredentials is false
+{
+ $origin = "" . $_SERVER["HTTP_ORIGIN"];
+ addHeader("Access-Control-Allow-Origin", $origin);
+ addHeader("Access-Control-Allow-Credentials", "true");
+
+ if($_SERVER["HTTP_COOKIE"] === null)
+ {
+ print("pass");
+ }
+ else
+ {
+ print("fail");
+ }
+}
+else if ($TestID === 9) //9. Request fails if "Access-Control-Allow-Origin: *" and withCredentials is true
+{
+ addHeader("Access-Control-Allow-Origin", "*");
+ addHeader("Access-Control-Allow-Credentials", "true");
+ print("test");
+}
+else if ($TestID === 10 || $TestID === 11) //10-11. Verify simple response headers are always exposed to getResponseHeader() and getAllResponseHeaders()
+{
+ addHeader("Access-Control-Allow-Origin", "*");
+ print("test");
+}
+else if ($TestID === 12) //12. Verify non-simple Headers are only exposed if in Access-Control-Expose-Header
+{
+ addHeader("Access-Control-Allow-Origin", "*");
+ addHeader("X-FOO", "BAR");
+ addHeader("X-TEST", "TEST");
+ addHeader("Access-Control-Expose-Headers", "X-FOO");
+ print("test");
+}
+else if ($TestID === 13) //13. Verify withCredential Request fails if Access-Control-Allow-Credentials = false
+{
+ $origin = "" . $_SERVER["HTTP_ORIGIN"];
+ addHeader("Access-Control-Allow-Origin", $origin);
+ addHeader("Access-Control-Allow-Credentials", "false");
+ print("test");
+}
+else if ($TestID === 14) //14. Basic Cross-origin redirect scenario (A->B->B) Redirects to TestID=140
+{
+ $origin = "" . $_SERVER["HTTP_ORIGIN"];
+ addHeader("Access-Control-Allow-Origin", $origin);
+ header("HTTP/1.1 302 Found");
+ $newURL = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . "?" . $_SERVER['QUERY_STRING'] . "0";
+ addHeader("Location", $newURL);
+}
+else if ($TestID === 140) // Redirect destination for test #14
+{
+ $origin = "" . $_SERVER["HTTP_ORIGIN"];
+ addHeader("Access-Control-Allow-Origin", $origin);
+ print("test");
+}
+else
+{
+ header("HTTP/1.1 404 Not Found");
+}
+
+//====================================================
+// END OF TESTS
+//====================================================
+
+
+// Sets the HTTP header with the given name and value
+function addHeader($headerName, $headerValue)
+{
+ header($headerName . ": " . $headerValue);
+}
+
+// Returns true if it is a preflight request. False if it is not.
+function isPreflight()
+{
+ //Checks for an OPTIONS request with Access-Control-Request-Method Header
+ return ($_SERVER['REQUEST_METHOD'] === "OPTIONS" && $_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"] !== null);
+}
+
+// Writes persistant data used to map preflight to the request
+function writePersistantData($data)
+{
+ $RequestID = intval($_GET["RequestID"]);
+ $tempfile = sys_get_tempdir() . "/" . "preflightData/" . $RequestID;
+
+ if($RequestID !== 0)
+ {
+ $data .= "|" . time();
+ file_put_contents($tempfile, $data);
+ }
+}
+
+/// Retrieves the persistant data and deletes it from the server. Returns null on error
+function retrievePersistantData()
+{
+ $RequestID = intval($_GET["RequestID"]);
+ $tempfile = sys_get_tempdir() . "/" . "preflightData/" . $RequestID;
+ if($RequestID !== 0 && file_exists($tempfile))
+ {
+ $data = file_get_contents($tempfile);
+ if($data == null)
+ {
+ return null;
+ }
+
+ //Delete saved data from persistant storage
+ unlink($tempfile);
+
+ //If in incorrect format, return null
+ $dataArray = explode('|', $data);
+ if(count($dataArray) != 2)
+ {
+ return null;
+ }
+
+ // If data was saved more than 5 seconds ago, it is probably not matching the correct
+ // preflight return null
+ $saveTime = intval($dataArray[1]);
+ if($saveTime === 0 || time() - $saveTime > 5)
+ {
+ return null;
+ }
+
+ return $dataArray[0];
+ }
+ else
+ {
+ return null;
+ }
+}
+?>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_001.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Cross-Origin XHR Test - Allowed (Access-Control-Allow-Origin: *)</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Cross-Origin XHR Test - Allowed (Access-Control-Allow-Origin: *)" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check-0"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Cross-Origin XHR Test - Allowed (Access-Control-Allow-Origin: *)");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=1"
+ xhr.open("GET", url, true);
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // The request should succeed because the 'Access-Control-Allow-Origin'
+ // response header has the value '*'
+ t.step(function(){assert_true(xhr.status === 200 && xhr.responseText === "test")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_002.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Cross-Origin XHR Test - Allowed (Access-Control-Allow-Origin: origin)</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Cross-Origin XHR Test - Allowed (Access-Control-Allow-Origin: origin)" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check-0"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Cross-Origin XHR Test - Allowed (Access-Control-Allow-Origin: origin)");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=2";
+ xhr.open("GET", url, true);
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // The request should succeed because the requesting origin matches the
+ // origin given in the 'Access-Control-Allow-Origin' response header
+ t.step(function(){assert_true(xhr.status === 200 && xhr.responseText === "test")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_003.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Cross-Origin XHR Test - Disallowed (Non-matching Access-Control-Allow-Origin)</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Cross-Origin XHR Test - Disallowed (Non-matching Access-Control-Allow-Origin)" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check-0"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Cross-Origin XHR Test - Disallowed (Non-matching Access-Control-Allow-Origin)");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=3";
+ xhr.open("GET", url, true);
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // The request should fail because the requesting origin does not match the
+ // the origin given in the 'Access-Control-Allow-Origin' response headers
+ t.step(function(){assert_true(xhr.status === 0 && xhr.responseText === "")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_004.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Cross-Origin XHR Test - Disallowed (Missing Access-Control-Allow-Origin)</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Cross-Origin XHR Test - Disallowed (Missing Access-Control-Allow-Origin)" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check-0"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Cross-Origin XHR Test - Disallowed (Missing Access-Control-Allow-Origin)");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=4";
+ xhr.open("GET", url, true);
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // The request should fail because no 'Access-Control-Allow-Origin' response
+ // header is given in the response
+ t.step(function(){assert_true(xhr.status === 0 && xhr.responseText === "")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_005.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Preflight with correct "Access-Control-Request-Method" sent for XHR requests using a Non-simple Method</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Preflight with correct "Access-Control-Request-Method" sent for XHR requests using a Non-simple Method" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request-with-preflight-0"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Preflight with correct 'Access-Control-Request-Method' sent for XHR requests using a Non-simple Method");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var randID = Math.floor(Math.random() * 100000);
+ var url = CORS_SERVER_URL + "?TestID=5&RequestID=5"+randID;
+ xhr.open("OPTIONS", url, true);
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // Because a non-simple method ('OPTIONS') is being used, the user-agent
+ // should send out a preflight request. If the preflight request contains
+ // the header 'Access-Control-Request-Method: OPTIONS', the server responds
+ // back with 'pass'. Else it responds back 'fail'
+ t.step(function(){assert_true(xhr.status === 200 && xhr.responseText === "pass")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_006.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Preflight with correct "Access-Control-Request-Headers" sent for XHR requests using a Non-simple Header</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Preflight with correct "Access-Control-Request-Headers" sent for XHR requests using a Non-simple Header" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request-with-preflight-0"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Preflight with correct 'Access-Control-Request-Headers' sent for XHR requests using a Non-simple Header");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var randID = Math.floor(Math.random() * 100000);
+ var url = CORS_SERVER_URL + "?TestID=6&RequestID=6"+randID;
+ xhr.open("GET", url, true);
+ xhr.setRequestHeader('X-TEST','value');
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // Because a non-simple header ('X-TEST') is being used, the user-agent
+ // should send out a preflight request. If the preflight request contains
+ // the header 'Access-Control-Request-Headers: x-test', the server responds
+ // back with 'pass'. Else it responds back 'fail'
+ t.step(function(){assert_true(xhr.status === 200 && xhr.responseText === "pass")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_007.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Author Request Headers do not appear in a preflight for XHR requests</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Verify Author Request Headers do not appear in a preflight for XHR requests" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request-with-preflight-0"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Author Request Headers do not appear in a preflight for XHR requests");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var randID = Math.floor(Math.random() * 100000);
+ var url = CORS_SERVER_URL + "?TestID=7&RequestID=7"+randID;
+ xhr.open("GET", url, true);
+ xhr.setRequestHeader('X-TEST','value');
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // Because a non-simple author request header ('X-TEST') is being used, the
+ // user-agent should send out a preflight request.
+ // If the preflight request contains the header 'x-test',
+ // the server responds back with 'fail'. Else it responds back 'pass'
+ t.step(function(){assert_true(xhr.status === 200 && xhr.responseText === "pass")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_008.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Cookie Header is not sent if withCredentials is false for XHR requests</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Cookie Header is not sent if withCredentials is false for XHR requests" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dev.w3.org/2006/webapi/XMLHttpRequest-2/#the-withcredentials-attribute"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ // Create an IFRAME to set a cookie for Cross-Origin server domain
+ var cookieFrame = document.createElement("iframe");
+ cookieFrame.style.display = "none";
+ cookieFrame.onload = RunTest;
+ cookieFrame.src = CORS_SET_COOKIE_URL;
+ document.body.appendChild(cookieFrame);
+
+ var t = async_test("Cookie Header is not sent if withCredentials is false for XHR requests");
+ function RunTest()
+ {
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=8"
+ xhr.open("GET", url, true);
+ xhr.withCredentials = false;
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // Because withCredentials is set to false, credentials should not be
+ // included in the request.
+ // If the 'cookie' header is present in the HTTP request headers
+ // the server responds back with 'fail'. Else it responds back 'pass'
+ t.step(function(){assert_true(xhr.status === 200 && xhr.responseText === "pass")});
+ t.done();
+ }
+ }
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ xhr.send();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_009.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>XHR Requests fail if "Access-Control-Allow-Origin: *" and withCredentials is true</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="XHR Requests fail if "Access-Control-Allow-Origin: *" and withCredentials is true" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-requests"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("XHR Requests fail if 'Access-Control-Allow-Origin: *' and withCredentials is true");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=9"
+ xhr.open("GET", url, true);
+ xhr.withCredentials = true;
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // Server responds back with the header 'Access-Control-Allow-Origin: *'
+ // The request should fail because the string "*" cannot be used for a
+ // resource that supports credentials.
+ t.step(function(){assert_true(xhr.status === 0 && xhr.responseText === "")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_010.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Verify simple response headers are exposed to getResponseHeader() for XHR requests</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Verify simple response headers are always exposed to getResponseHeader() for XHR requests" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#handling-a-response-to-a-cross-origin-request"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Verify simple response headers are exposed to getResponseHeader() for XHR requests");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=10"
+ xhr.open("GET", url, true);
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // 'Content-type' is a simple response header and should always be exposed
+ // via getResponseHeader()
+ t.step(function(){assert_true(xhr.getResponseHeader("content-type") !== null)});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_011.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Verify simple response headers are exposed to getAllResponseHeaders() for XHR requests</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Verify simple response headers are always exposed to getAllResponseHeaders() for XHR requests" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#handling-a-response-to-a-cross-origin-request"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Verify simple response headers are exposed to getAllResponseHeaders() for XHR requests");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=11"
+ xhr.open("GET", url, true);
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // 'Content-type' is a simple response header and should always be exposed
+ // via getAllResponseHeaders()
+ t.step(function(){assert_true(xhr.getAllResponseHeaders().toLowerCase().indexOf('content-type') !== -1)});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_012.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Verify non-simple Headers are only exposed if in Access-Control-Expose-Header for XHR requests</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Verify non-simple Headers are only exposed if in Access-Control-Expose-Header for XHR requests" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#handling-a-response-to-a-cross-origin-request"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Verify non-simple Headers are only exposed if in Access-Control-Expose-Header for XHR requests");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=12"
+ xhr.open("GET", url, true);
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // The server responds back with two custom headers 'X-FOO' and 'X-TEST'
+ // It also responds with the header 'Access-Control-Expose-Header: X-FOO'
+ // 'X-FOO' should be exposed to getResponseHeader(), but not 'X-TEST'
+ t.step(function(){assert_true(xhr.getResponseHeader("X-FOO") !== null, "['X-FOO' should have been exposed]")});
+ t.step(function(){assert_true(xhr.getResponseHeader("X-TEST") === null, "['X-TEST' should not have been exposed]")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_013.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Verify a withCredential XHR Request fails if Access-Control-Allow-Credentials = false</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Verify a withCredential XHR Request fails if Access-Control-Allow-Credentials = false" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check-0"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Verify a withCredential XHR Request fails if Access-Control-Allow-Credentials = false");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=13"
+ xhr.open("GET", url, true);
+ xhr.withCredentials = true;
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // The server responds back with the header 'Access-Control-Allow-Credentials: false'
+ // Because the credentials flag is true and the Access-Control-Allow-Credentials
+ // header value is not a case-sensitive match for "true", the request should fail
+ t.step(function(){assert_true(xhr.status === 0 && xhr.responseText === "")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/CORS_014.htm Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Cross-origin XHR Redirect scenario</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="Cross-origin XHR Redirect scenario" />
+ <link rel="author" title="Microsoft" href="http://www.microsoft.com/" />
+ <link rel="help" href="http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#redirect-steps"/>
+ <script src="http://w3c-test.org/resources/testharness.js"></script>
+ <script src="http://w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="SetCORSUrls.js"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <script type="text/javascript">
+ var t = async_test("Cross-origin XHR Redirect scenario");
+ var xhr = new XMLHttpRequest();
+ if('withCredentials' in xhr)
+ {
+ var url = CORS_SERVER_URL + "?TestID=14";
+ xhr.open("GET", url, true);
+ xhr.onreadystatechange = function(e)
+ {
+ if (xhr.readyState == 4)
+ {
+ // The server performs a 302 redirect to CORS_SERVER_URL + "?TestID=140"
+ // Both the initial request and the redirected request contain the proper
+ // "Access-Control-Allow-Origin: origin" headers, so the request should succeed
+ t.step(function(){assert_true(xhr.status === 200 && xhr.responseText === "test")});
+ t.done();
+ }
+ }
+ xhr.send();
+ }
+ else
+ {
+ t.step(function(){assert_unreached("[Cross-Origin XMLHttpRequests are not supported]")});
+ t.done();
+ }
+ </script>
+ </body>
+</html>
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/SetCORSUrls.js Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,3 @@
+var CORS_BASE = "http://www1.w3c-test.org/webapps/CORS/tests/submissions/Microsoft/";
+var CORS_SERVER_URL = CORS_BASE + "CORSServer.php";
+var CORS_SET_COOKIE_URL = CORS_BASE + "SetCookie.php";
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/Microsoft/SetCookie.php Thu May 03 13:39:49 2012 -0700
@@ -0,0 +1,14 @@
+<?php
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+
+//Set Cookie
+header("Access-Control-Allow-Origin: *");
+header("Set-Cookie: cookieName=cookieValue");
+
+print("'Set-Cookie: cookieName=cookieValue' Sent in HTTP Response Header");
+?>
\ No newline at end of file