Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-12-03 10:33:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1210413 P2 Test CORS credentials on cross-origin redirects. r=sicking a=dveditz

Browse Source
This commit is contained in:
Ben Kelly 2015-10-07 14:33:31 -07:00
parent 53f9c75469
commit d803731730
2 changed files with 114 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
dom/security/test/cors/file_CrossSiteXHR_server.sjs
View File

@ -21,6 +21,22 @@ function handleRequest(request, response)
var body = decodeURIComponent(
escape(String.fromCharCode.apply(null, bodyBytes)));
if (query.hop) {
query.hop = parseInt(query.hop, 10);
hops = eval(query.hops);
var curHop = hops[query.hop - 1];
query.allowOrigin = curHop.allowOrigin;
query.allowHeaders = curHop.allowHeaders;
query.allowCred = curHop.allowCred;
if (curHop.setCookie) {
query.setCookie = unescape(curHop.setCookie);
}
if (curHop.cookie) {
query.cookie = unescape(curHop.cookie);
}
query.noCookie = curHop.noCookie;
}
// Check that request was correct
if (!isPreflight && query.body && body != query.body) {
@ -86,7 +102,7 @@ function handleRequest(request, response)
});
}
if ("noCookie" in query && request.hasHeader("Cookie")) {
if (query.noCookie && request.hasHeader("Cookie")) {
sendHttp500(response,
"Got cookies when didn't expect to: " + request.getHeader("Cookie"));
return;
@ -94,13 +110,6 @@ function handleRequest(request, response)
// Send response
if (query.hop) {
query.hop = parseInt(query.hop, 10);
hops = eval(query.hops);
query.allowOrigin = hops[query.hop-1].allowOrigin;
query.allowHeaders = hops[query.hop-1].allowHeaders;
}
if (!isPreflight && query.status) {
response.setStatusLine(null, query.status, query.statusMessage);
}
@ -139,7 +148,7 @@ function handleRequest(request, response)
if (query.hop && query.hop < hops.length) {
newURL = hops[query.hop].server +
"/tests/dom/security/test/cors/file_CrossSiteXHR_server.sjs?" +
"hop=" + (query.hop + 1) + "&hops=" + query.hops;
"hop=" + (query.hop + 1) + "&hops=" + escape(query.hops);
response.setStatusLine(null, 307, "redirect");
response.setHeader("Location", newURL);

96
dom/security/test/cors/test_CrossSiteXHR.html
View File

@ -1140,6 +1140,101 @@ function runTest() {
},
],
},
// test redirects with different credentials settings
{
// Initialize by setting a cookies for same- and cross- origins.
pass: 1,
method: "GET",
hops: [{ server: origin,
setCookie: escape("a=1"),
},
{ server: "http://example.com",
allowOrigin: origin,
allowCred: 1,
setCookie: escape("a=2"),
},
],
withCred: 1,
},
{ pass: 1,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
{ server: "http://example.com",
allowOrigin: origin,
noCookie: 1,
},
],
withCred: 0,
},
{ pass: 1,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
{ server: "http://example.com",
allowOrigin: origin,
allowCred: 1,
cookie: escape("a=2"),
},
],
withCred: 1,
},
// expected fail because allow-credentials CORS header is not set
{ pass: 0,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
{ server: "http://example.com",
allowOrigin: origin,
cookie: escape("a=2"),
},
],
withCred: 1,
},
{ pass: 1,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
{ server: "http://example.com",
allowOrigin: '*',
noCookie: 1,
},
],
withCred: 0,
},
{ pass: 0,
method: "GET",
hops: [{ server: origin,
cookie: escape("a=1"),
},
{ server: origin,
cookie: escape("a=1"),
},
{ server: "http://example.com",
allowOrigin: '*',
allowCred: 1,
cookie: escape("a=2"),
},
],
withCred: 1,
},
];
if (!runRedirectTests) {
@ -1153,6 +1248,7 @@ function runTest() {
method: test.method,
headers: test.headers,
body: test.body,
withCred: test.withCred,
};
if (test.pass) {