From d8037317309c11ca7fe00be486215096103b074f Mon Sep 17 00:00:00 2001 From: Ben Kelly Date: Wed, 7 Oct 2015 14:33:31 -0700 Subject: [PATCH] Bug 1210413 P2 Test CORS credentials on cross-origin redirects. r=sicking a=dveditz --- .../test/cors/file_CrossSiteXHR_server.sjs | 27 ++++-- dom/security/test/cors/test_CrossSiteXHR.html | 96 +++++++++++++++++++ 2 files changed, 114 insertions(+), 9 deletions(-) diff --git a/dom/security/test/cors/file_CrossSiteXHR_server.sjs b/dom/security/test/cors/file_CrossSiteXHR_server.sjs index a2b7cafb3355..cdd67a9678ad 100644 --- a/dom/security/test/cors/file_CrossSiteXHR_server.sjs +++ b/dom/security/test/cors/file_CrossSiteXHR_server.sjs @@ -21,6 +21,22 @@ function handleRequest(request, response) var body = decodeURIComponent( escape(String.fromCharCode.apply(null, bodyBytes))); + if (query.hop) { + query.hop = parseInt(query.hop, 10); + hops = eval(query.hops); + var curHop = hops[query.hop - 1]; + query.allowOrigin = curHop.allowOrigin; + query.allowHeaders = curHop.allowHeaders; + query.allowCred = curHop.allowCred; + if (curHop.setCookie) { + query.setCookie = unescape(curHop.setCookie); + } + if (curHop.cookie) { + query.cookie = unescape(curHop.cookie); + } + query.noCookie = curHop.noCookie; + } + // Check that request was correct if (!isPreflight && query.body && body != query.body) { @@ -86,7 +102,7 @@ function handleRequest(request, response) }); } - if ("noCookie" in query && request.hasHeader("Cookie")) { + if (query.noCookie && request.hasHeader("Cookie")) { sendHttp500(response, "Got cookies when didn't expect to: " + request.getHeader("Cookie")); return; @@ -94,13 +110,6 @@ function handleRequest(request, response) // Send response - if (query.hop) { - query.hop = parseInt(query.hop, 10); - hops = eval(query.hops); - query.allowOrigin = hops[query.hop-1].allowOrigin; - query.allowHeaders = hops[query.hop-1].allowHeaders; - } - if (!isPreflight && query.status) { response.setStatusLine(null, query.status, query.statusMessage); } @@ -139,7 +148,7 @@ function handleRequest(request, response) if (query.hop && query.hop < hops.length) { newURL = hops[query.hop].server + "/tests/dom/security/test/cors/file_CrossSiteXHR_server.sjs?" + - "hop=" + (query.hop + 1) + "&hops=" + query.hops; + "hop=" + (query.hop + 1) + "&hops=" + escape(query.hops); response.setStatusLine(null, 307, "redirect"); response.setHeader("Location", newURL); diff --git a/dom/security/test/cors/test_CrossSiteXHR.html b/dom/security/test/cors/test_CrossSiteXHR.html index 9110c3807504..cc202f108661 100644 --- a/dom/security/test/cors/test_CrossSiteXHR.html +++ b/dom/security/test/cors/test_CrossSiteXHR.html @@ -1140,6 +1140,101 @@ function runTest() { }, ], }, + + // test redirects with different credentials settings + { + // Initialize by setting a cookies for same- and cross- origins. + pass: 1, + method: "GET", + hops: [{ server: origin, + setCookie: escape("a=1"), + }, + { server: "http://example.com", + allowOrigin: origin, + allowCred: 1, + setCookie: escape("a=2"), + }, + ], + withCred: 1, + }, + { pass: 1, + method: "GET", + hops: [{ server: origin, + cookie: escape("a=1"), + }, + { server: origin, + cookie: escape("a=1"), + }, + { server: "http://example.com", + allowOrigin: origin, + noCookie: 1, + }, + ], + withCred: 0, + }, + { pass: 1, + method: "GET", + hops: [{ server: origin, + cookie: escape("a=1"), + }, + { server: origin, + cookie: escape("a=1"), + }, + { server: "http://example.com", + allowOrigin: origin, + allowCred: 1, + cookie: escape("a=2"), + }, + ], + withCred: 1, + }, + // expected fail because allow-credentials CORS header is not set + { pass: 0, + method: "GET", + hops: [{ server: origin, + cookie: escape("a=1"), + }, + { server: origin, + cookie: escape("a=1"), + }, + { server: "http://example.com", + allowOrigin: origin, + cookie: escape("a=2"), + }, + ], + withCred: 1, + }, + { pass: 1, + method: "GET", + hops: [{ server: origin, + cookie: escape("a=1"), + }, + { server: origin, + cookie: escape("a=1"), + }, + { server: "http://example.com", + allowOrigin: '*', + noCookie: 1, + }, + ], + withCred: 0, + }, + { pass: 0, + method: "GET", + hops: [{ server: origin, + cookie: escape("a=1"), + }, + { server: origin, + cookie: escape("a=1"), + }, + { server: "http://example.com", + allowOrigin: '*', + allowCred: 1, + cookie: escape("a=2"), + }, + ], + withCred: 1, + }, ]; if (!runRedirectTests) { @@ -1153,6 +1248,7 @@ function runTest() { method: test.method, headers: test.headers, body: test.body, + withCred: test.withCred, }; if (test.pass) {