--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/redir-test.php Wed Feb 01 16:40:44 2012 -0800
@@ -0,0 +1,66 @@
+<?php
+
+//TODO: make CORS request to redir-to-get-origin.php
+//read returned value for origin after following redirect
+//compare to "www.w3c-test.org" and fail if true
+//should be: "null" or "www.w3c-test.org www2.w3c-test.org"
+
+$this_script_path = $_SERVER[SCRIPT_NAME];
+
+$next_script_path = ereg_replace('redir-test','support/redir-to-get-origin', $this_script_path);
+$get_origin_path = ereg_replace('redir-test', 'support/get-origin', $this_script_path);
+
+$get_origin = "http://www2.w3c-test.org$get_origin_path";
+$next_script = "http://www.w3c-test.org$next_script_path"."?url=". urlencode($get_origin);
+
+?>
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>CORS Test: Origin Header reflection vulnerability test</title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta descriptionn="Cross Origin Resource Sharing Test: Origin Header reflection" />
+ <link rel="author" title="bhill@paypal-inc.com" />
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+<body>
+ <div id="log"></div>
+
+
+ <script>
+ // first test that we are sending origin headers!
+ var req = new XMLHttpRequest();
+ req.open("GET", "<?php echo "$get_origin"; ?>", false);
+ try {
+ req.send();
+ test(function() {assert_equals(req.responseText, "http://www.w3c-test.org")}, "Verify that Origin header is being set.");
+ //alert(req.responseText);
+ } catch(ex) {
+ test(function() {assert_true(false)}, "Exception testing Origin header is set.");
+ }
+
+
+ // second text exercises a cross-origin redirect
+ var req2 = new XMLHttpRequest();
+ req2.onreadystatechange = function() {
+ if(this.readyState = this.DONE) {
+ test(function() {assert_not_equals("http://www.w3c-test.org", req2.responseText)}, "Verify that Origin header is modified by redirect.");
+ }
+ };
+
+ // bugs in webkit require async when following redirects
+ req2.open("GET", "<?php echo "$next_script"; ?>", true);
+
+ try {
+ req2.send();
+ } catch(ex) {
+ alert(ex);
+ test(function() {assert_true(false)}, "Exception testing Origin header modification on redirect.");
+ }
+
+ </script>
+
+
+</body>
+</html>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/support/get-origin.php Wed Feb 01 16:40:44 2012 -0800
@@ -0,0 +1,10 @@
+<?php
+ header("Access-control-allow-headers: X-Requested-With");
+ header("Access-control-max-age: 0");
+ header("Access-control-allow-origin: *");
+ header("Access-control-allow-methods: *");
+ header("Vary: Accept-Encoding");
+ header("Content-Type: text/plain");
+
+ print $_SERVER['HTTP_ORIGIN'];
+?>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/support/redir-to-get-origin.php Wed Feb 01 16:40:44 2012 -0800
@@ -0,0 +1,9 @@
+<?php
+$url = $_GET['url'];
+header("Access-control-max-age: 0");
+header("Access-control-allow-origin: http://www.w3c-test.org");
+header("Access-control-allow-credentials: true");
+header("Access-control-allow-methods: *");
+header("Access-control-expose-headers: Location");
+header("Location: $url");
+?>