Working in my own submission directory to test null byte issues in headers, and updated VM instructions.
authorbhill2
Thu, 02 May 2013 14:32:56 -0700
changeset 97 bde3a983e837
parent 96 a801916fe189 (current diff)
parent 91 0750a5c11480 (diff)
child 98 6ffe8d24ce82
Working in my own submission directory to test null byte issues in headers, and updated VM instructions.
vm/index.html
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/origin-null.htm	Thu May 02 14:32:56 2013 -0700
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Access-Control-Allow-Origin handling</title>
+<meta name=help href=http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check>
+<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=support.js></script>
+
+<h1>Access-Control-Allow-Origin handling</h1>
+
+<div id=log></div>
+
+<script>
+
+/*
+ * Origin header
+ */
+function shouldFail(origin) {
+    test(function () {
+        var client = new XMLHttpRequest()
+        client.open('GET', CROSSDOMAIN
+                            + '../opera/staging/resources/cors-makeheader.php?origin='
+                            + encodeURIComponent(origin),
+                    false)
+        assert_throws(null, function() { client.send() }, 'send')
+    }, 'Disallow origin: ' + origin.replace(/\0/g, "\\0"));
+}
+
+shouldFail(location.protocol + "//" + location.host + "\0")
+</script>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/resources/cors-makeheader.php	Thu May 02 14:32:56 2013 -0700
@@ -0,0 +1,52 @@
+<?php
+
+$origin = isset($_GET['origin']) ? $_GET['origin'] : $_SERVER['HTTP_ORIGIN'];
+
+if ($origin != 'none')
+    header("Access-Control-Allow-Origin: $origin");
+if (isset($_GET['origin2']))
+    header("Access-Control-Allow-Origin: {$_GET['origin2']}", false);
+
+/* Preflight */
+if (isset($_GET['headers']))
+    header("Access-Control-Allow-Headers: {$_GET['headers']}");
+if (isset($_GET['credentials']))
+    header("Access-Control-Allow-Credentials: {$_GET['credentials']}");
+if (isset($_GET['methods']))
+    header("Access-Control-Allow-Methods: {$_GET['methods']}");
+
+$code = isset($_GET['code']) ? intval($_GET['code']) : null;
+if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' and isset($_GET['preflight']))
+    $code = intval($_GET['preflight']);
+
+if (isset($_GET['location']))
+{
+    if ($code === null)
+    	$code = 302;
+
+    if ($code < 400 and $code > 299)
+    {
+        header("Location: {$_GET['location']}", true, $code);
+        die("Redirecting");
+    }
+}
+
+foreach ($_SERVER as $name => $value)
+{
+    if (substr($name, 0, 5) == 'HTTP_')
+    {
+        $name = strtolower(str_replace('_', '-', substr($name, 5)));
+        $headers[$name] = $value;
+    } else if ($name == "CONTENT_TYPE") {
+        $headers["content-type"] = $value;
+    } else if ($name == "CONTENT_LENGTH") {
+        $headers["content-length"] = $value;
+    }
+}
+
+$headers['get_value'] = isset($_GET['get_value']) ? $_GET['get_value'] : '';
+
+if ($code)
+    header("HTTP/1.1 {$code} StatusText");
+
+echo json_encode( $headers );
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/support.js	Thu May 02 14:32:56 2013 -0700
@@ -0,0 +1,29 @@
+// For ignoring exception names (just for testing)
+/*
+_real_assert_throws = assert_throws;
+function assert_throws(d, func, desc) {
+    try {
+        func();
+    } catch(e) {
+        return true;
+    }
+    assert_unreached("Didn't throw!");
+}
+*/
+
+function dirname(path) {
+    return path.replace(/\/[^\/]*$/, '/')
+}
+
+/* This subdomain should point to this same location */
+var SUBDOMAIN = 'www1'
+var SUBDOMAIN2 = 'www2'
+var PORT = "81"
+var PORTS = "83" // w3c actually has no "alternate" https port
+
+/* Changes http://example.com/abc/def/cool.htm to http://www1.example.com/abc/def/ */
+var CROSSDOMAIN     = dirname(location.href)
+                        .replace('://', '://' + SUBDOMAIN + '.')
+var REMOTE_HOST     = SUBDOMAIN + "." + location.host
+var REMOTE_PROTOCOL = location.protocol
+var REMOTE_ORIGIN   = REMOTE_PROTOCOL + "//" + REMOTE_HOST