Bug 1199693 - Test CORS preflight interception with and without an internal redirect; r=jdm

dom/workers/test/serviceworkers/fetch/fetch_tests.js

@@ -149,12 +149,23 @@ fetchXHR('http://example.com/tests/dom/security/test/cors/file_CrossSiteXHR_serv
   finish();
 });
 
-// Test that CORS preflight requests cannot be intercepted
+// Test that CORS preflight requests cannot be intercepted. Performs a
+// cross-origin XHR that the SW chooses not to intercept. This requires a
+// preflight request, which the SW must not be allowed to intercept.
 fetchXHR('http://example.com/tests/dom/security/test/cors/file_CrossSiteXHR_server.sjs?status=200&allowOrigin=*', null, function(xhr) {
   my_ok(xhr.status == 0, "cross origin load with incorrect headers should be a failure");
   finish();
 }, [["X-Unsafe", "unsafe"]]);
 
+// Test that CORS preflight requests cannot be intercepted. Performs a
+// cross-origin XHR that the SW chooses to intercept and respond with a
+// cross-origin fetch. This requires a preflight request, which the SW must not
+// be allowed to intercept.
+fetchXHR('http://example.org/tests/dom/security/test/cors/file_CrossSiteXHR_server.sjs?status=200&allowOrigin=*', null, function(xhr) {
+  my_ok(xhr.status == 0, "cross origin load with incorrect headers should be a failure");
+  finish();
+}, [["X-Unsafe", "unsafe"]]);
+
 // Test that when the page fetches a url the controlling SW forces a redirect to
 // another location. This other location fetch should also be intercepted by
 // the SW.

dom/workers/test/serviceworkers/fetch_event_worker.js

@@ -14,6 +14,8 @@ onfetch = function(ev) {
     if (ev.request.method == 'OPTIONS') {
       ev.respondWith(new Response('', {headers: {'Access-Control-Allow-Origin': '*',
                                                  'Access-Control-Allow-Headers': 'X-Unsafe'}}))
+    } else if (ev.request.url.includes('example.org')) {
+      ev.respondWith(fetch(ev.request));
     }
   }