Quelle  test_CrossSiteXHR.html   Sprache: HTML

<!DOCTYPE HTML>
<html>
<head>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
  <title>Test for Cross Site XMLHttpRequest</title>
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body onload="initTest()">
<p id="display">
<iframe id=loader></iframe>
</p>
<div id="content" style="display: none">

</div>
<pre id="test">
<script class="testbody" type="application/javascript">

const runPreflightTests = 1;
const runCookieTests = 1;
const runRedirectTests = 1;

var gen;

function initTest() {
  SimpleTest.waitForExplicitFinish();
  // Allow all cookies, then do the actual test initialization
  SpecialPowers.pushPrefEnv({
    "set": [
      ["network.cookie.cookieBehavior", 0],
      // Bug 1617611: Fix all the tests broken by "cookies SameSite=lax by default"
      ["network.cookie.sameSite.laxByDefault", false],
      ["network.cors_preflight.authorization_covered_by_wildcard", false],
   ]
  }, initTestCallback);
}

function initTestCallback() {
  window.addEventListener("message", function(e) {
    gen.next(e.data);
  });

  gen = runTest();

  gen.next()
}

// eslint-disable-next-line complexity
function* runTest() {
  var loader = document.getElementById('loader');
  var loaderWindow = loader.contentWindow;
  loader.onload = function () { gen.next() };

  // Test preflight-less requests
  basePath = "/tests/dom/security/test/cors/file_CrossSiteXHR_server.sjs?"
  base = self.location.origin;
  baseHost = self.location.host;
  baseURL = base + basePath;

  // Test preflighted requests
  origin = (base == "https://example.com") ? "https://example.org" : "https://example.com";
  originHost = (baseHost == "example.com") ? "example.org" : "example.com";
  loader.src = origin + "/tests/dom/security/test/cors/file_CrossSiteXHR_inner.html";
  yield undefined;

  tests =     [// Plain request
               { pass: 1,
                 method: "GET",
                 noAllowPreflight: 1,
               },

               // undefined username
               { pass: 1,
                 method: "GET",
                 noAllowPreflight: 1,
                 username: undefined
               },

               // undefined username and password
               { pass: 1,
                 method: "GET",
                 noAllowPreflight: 1,
                 username: undefined,
                 password: undefined
               },

               // nonempty username
               { pass: 1,
                 method: "GET",
                 noAllowPreflight: 1,
                 username: "user",
               },

               // nonempty password
               { pass: 1,
                 method: "GET",
                 noAllowPreflight: 1,
                 password: "password",
               },

               // Default allowed headers
               { pass: 1,
                 method: "GET",
                 headers: { "Content-Type": "text/plain",
                            "Accept": "foo/bar",
                            "Accept-Language": "sv-SE" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "GET",
                 headers: { "Content-Type": "foo/bar",
                            "Accept": "foo/bar",
                            "Accept-Language": "sv-SE" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "GET",
                 headers: { "Content-Type": "foo/bar, text/plain" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "GET",
                 headers: { "Content-Type": "foo/bar, text/plain, garbage" },
                 noAllowPreflight: 1,
               },

               // Custom headers
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "x-my-header",
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "X-My-Header",
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "myValue",
                            "long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header": "secondValue" },
                 allowHeaders: "x-my-header, long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header-long-header",
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my%-header": "myValue" },
                 allowHeaders: "x-my%-header",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "myValue" },
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "" },
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "y-my-header",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "x-my-header y-my-header",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "x-my-header, y-my-header z",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "x-my-header, y-my-he(ader",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "myheader": "" },
                 allowMethods: "myheader",
               },
               { pass: 1,
                 method: "GET",
                 headers: { "User-Agent": "myValue" },
                 allowHeaders: "User-Agent",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "User-Agent": "myValue" },
               },

               // Multiple custom headers
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "myValue",
                            "second-header": "secondValue",
                            "third-header": "thirdValue" },
                 allowHeaders: "x-my-header, second-header, third-header",
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "myValue",
                            "second-header": "secondValue",
                            "third-header": "thirdValue" },
                 allowHeaders: "x-my-header,second-header,third-header",
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "myValue",
                            "second-header": "secondValue",
                            "third-header": "thirdValue" },
                 allowHeaders: "x-my-header ,second-header ,third-header",
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "myValue",
                            "second-header": "secondValue",
                            "third-header": "thirdValue" },
                 allowHeaders: "x-my-header , second-header , third-header",
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "myValue",
                            "second-header": "secondValue" },
                 allowHeaders: ", x-my-header, , ,, second-header, , ",
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "myValue",
                            "second-header": "secondValue" },
                 allowHeaders: "x-my-header, second-header, unused-header",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "myValue",
                            "y-my-header": "secondValue" },
                 allowHeaders: "x-my-header",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "",
                            "y-my-header": "" },
                 allowHeaders: "x-my-header",
               },

               // HEAD requests
               { pass: 1,
                 method: "HEAD",
                 noAllowPreflight: 1,
               },

               // HEAD with safe headers
               { pass: 1,
                 method: "HEAD",
                 headers: { "Content-Type": "text/plain",
                            "Accept": "foo/bar",
                            "Accept-Language": "sv-SE" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "HEAD",
                 headers: { "Content-Type": "foo/bar",
                            "Accept": "foo/bar",
                            "Accept-Language": "sv-SE" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "HEAD",
                 headers: { "Content-Type": "foo/bar, text/plain" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "HEAD",
                 headers: { "Content-Type": "foo/bar, text/plain, garbage" },
                 noAllowPreflight: 1,
               },

               // HEAD with custom headers
               { pass: 1,
                 method: "HEAD",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "x-my-header",
               },
               { pass: 0,
                 method: "HEAD",
                 headers: { "x-my-header": "myValue" },
               },
               { pass: 0,
                 method: "HEAD",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "",
               },
               { pass: 0,
                 method: "HEAD",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "y-my-header",
               },
               { pass: 0,
                 method: "HEAD",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "x-my-header y-my-header",
               },

               // POST tests
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 noAllowPreflight: 1,
               },
               { pass: 1,
                 method: "POST",
               },
               { pass: 1,
                 method: "POST",
                 noAllowPreflight: 1,
               },

               // POST with standard headers
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "text/plain" },
                 noAllowPreflight: 1,
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "multipart/form-data" },
                 noAllowPreflight: 1,
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "application/x-www-form-urlencoded" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "foo/bar" },
               },
               { pass: 0,
                 method: "POST",
                 headers: { "Content-Type": "foo/bar" },
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "text/plain",
                            "Accept": "foo/bar",
                            "Accept-Language": "sv-SE" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "foo/bar, text/plain" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "foo/bar, text/plain, garbage" },
                 noAllowPreflight: 1,
               },

               // POST with custom headers
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "Accept": "foo/bar",
                            "Accept-Language": "sv-SE",
                            "x-my-header": "myValue" },
                 allowHeaders: "x-my-header",
               },
               { pass: 1,
                 method: "POST",
                 headers: { "Content-Type": "text/plain",
                            "x-my-header": "myValue" },
                 allowHeaders: "x-my-header",
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "text/plain",
                            "x-my-header": "myValue" },
                 allowHeaders: "x-my-header",
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "foo/bar",
                            "x-my-header": "myValue" },
                 allowHeaders: "x-my-header, content-type",
               },
               { pass: 0,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "foo/bar" },
                 noAllowPreflight: 1,
               },
               { pass: 0,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "foo/bar",
                            "x-my-header": "myValue" },
                 allowHeaders: "x-my-header",
               },
               { pass: 1,
                 method: "POST",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "x-my-header",
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "x-my-header, $_%",
               },

               // Test cases for "Access-Control-Allow-Headers" containing "*".
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "*",
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "x-my-header": "myValue",
                            "Authorization": "12345" },
                 allowHeaders: "*, Authorization",
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "x-my-header": "myValue",
                            "Authorization": "12345" },
                 allowHeaders: "Authorization, *",
               },
               { pass: 0,
                 method: "POST",
                 body: "hi there",
                 headers: { "x-my-header": "myValue",
                            "Authorization": "12345" },
                 allowHeaders: "*",
               },
               { pass: 0,
                 method: "POST",
                 body: "hi there",
                 headers: { "x-my-header": "myValue",
                            "Authorization": "12345" },
                 allowHeaders: "x-my-header",
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "*": "myValue" },
                 allowHeaders: "*",
                 withCred: 1,
                 allowCred: 1,
               },
               { pass: 0,
                 method: "POST",
                 body: "hi there",
                 headers: { "x-my-header": "myValue" },
                 allowHeaders: "*",
                 withCred: 1,
                 allowCred: 1,
               },

               // Other methods
               { pass: 1,
                 method: "DELETE",
                 allowMethods: "DELETE",
               },
               { pass: 0,
                 method: "DELETE",
                 allowHeaders: "DELETE",
               },
               { pass: 0,
                 method: "DELETE",
               },
               { pass: 0,
                 method: "DELETE",
                 allowMethods: "",
               },
               { pass: 1,
                 method: "DELETE",
                 allowMethods: "POST, PUT, DELETE",
               },
               { pass: 1,
                 method: "DELETE",
                 allowMethods: "POST, DELETE, PUT",
               },
               { pass: 1,
                 method: "DELETE",
                 allowMethods: "DELETE, POST, PUT",
               },
               { pass: 1,
                 method: "DELETE",
                 allowMethods: "POST ,PUT ,DELETE",
               },
               { pass: 1,
                 method: "DELETE",
                 allowMethods: "POST,PUT,DELETE",
               },
               { pass: 1,
                 method: "DELETE",
                 allowMethods: "POST , PUT , DELETE",
               },
               { pass: 1,
                 method: "DELETE",
                 allowMethods: " ,, PUT ,, , , DELETE , ,",
               },
               { pass: 0,
                 method: "DELETE",
                 allowMethods: "PUT",
               },
               { pass: 0,
                 method: "DELETE",
                 allowMethods: "DELETEZ",
               },
               { pass: 0,
                 method: "DELETE",
                 allowMethods: "DELETE PUT",
               },
               { pass: 0,
                 method: "DELETE",
                 allowMethods: "DELETE, PUT Z",
               },
               { pass: 0,
                 method: "DELETE",
                 allowMethods: "DELETE, PU(T",
               },
               { pass: 0,
                 method: "DELETE",
                 allowMethods: "PUT DELETE",
               },
               { pass: 0,
                 method: "DELETE",
                 allowMethods: "PUT Z, DELETE",
               },
               { pass: 0,
                 method: "DELETE",
                 allowMethods: "PU(T, DELETE",
               },
               { pass: 0,
                 method: "MYMETHOD",
                 allowMethods: "myMethod",
               },
               { pass: 0,
                 method: "PUT",
                 allowMethods: "put",
               },

               // Progress events
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "text/plain" },
                 uploadProgress: "progress",
               },
               { pass: 0,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "text/plain" },
                 uploadProgress: "progress",
                 noAllowPreflight: 1,
               },

               // Status messages
               { pass: 1,
                 method: "GET",
                 noAllowPreflight: 1,
                 status: 404,
                 statusMessage: "nothin' here",
               },
               { pass: 1,
                 method: "GET",
                 noAllowPreflight: 1,
                 status: 401,
                 statusMessage: "no can do",
               },
               { pass: 1,
                 method: "POST",
                 body: "hi there",
                 headers: { "Content-Type": "foo/bar" },
                 allowHeaders: "content-type",
                 status: 500,
                 statusMessage: "server boo",
               },
               { pass: 1,
                 method: "GET",
                 noAllowPreflight: 1,
                 status: 200,
                 statusMessage: "Yes!!",
               },
               { pass: 0,
                 method: "GET",
                 headers: { "x-my-header": "header value" },
                 allowHeaders: "x-my-header",
                 preflightStatus: 400
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "header value" },
                 allowHeaders: "x-my-header",
                 preflightStatus: 200
               },
               { pass: 1,
                 method: "GET",
                 headers: { "x-my-header": "header value" },
                 allowHeaders: "x-my-header",
                 preflightStatus: 204
               },

               // exposed headers
               { pass: 1,
                 method: "GET",
                 responseHeaders: { "x-my-header": "x header" },
                 exposeHeaders: "x-my-header",
                 expectedResponseHeaders: ["x-my-header"],
               },
               { pass: 0,
                 method: "GET",
                 origin: "https://invalid",
                 responseHeaders: { "x-my-header": "x header" },
                 exposeHeaders: "x-my-header",
                 expectedResponseHeaders: [],
               },
               { pass: 1,
                 method: "GET",
                 responseHeaders: { "x-my-header": "x header" },
                 expectedResponseHeaders: [],
               },
               { pass: 1,
                 method: "GET",
                 responseHeaders: { "x-my-header": "x header" },
                 exposeHeaders: "x-my-header y",
                 expectedResponseHeaders: [],
               },
               { pass: 1,
                 method: "GET",
                 responseHeaders: { "x-my-header": "x header" },
                 exposeHeaders: "y x-my-header",
                 expectedResponseHeaders: [],
               },
               { pass: 1,
                 method: "GET",
                 responseHeaders: { "x-my-header": "x header" },
                 exposeHeaders: "x-my-header, y-my-header z",
                 expectedResponseHeaders: [],
               },
               { pass: 1,
                 method: "GET",
                 responseHeaders: { "x-my-header": "x header" },
                 exposeHeaders: "x-my-header, y-my-hea(er",
                 expectedResponseHeaders: [],
               },
               { pass: 1,
                 method: "GET",
                 responseHeaders: { "x-my-header": "x header",
                                    "y-my-header": "y header" },
                 exposeHeaders: " , ,,y-my-header,z-my-header, ",
                 expectedResponseHeaders: ["y-my-header"],
               },
               { pass: 1,
                 method: "GET",
                 responseHeaders: { "Cache-Control": "cacheControl header",
                                    "Content-Language": "contentLanguage header",
                                    "Expires":"expires header",
                                    "Last-Modified":"lastModified header",
                                    "Pragma":"pragma header",
                                    "Unexpected":"unexpected header" },
                 expectedResponseHeaders: ["Cache-Control","Content-Language","Content-Type","Expires","Last-Modified","Pragma"],
               },
               // Check that sending a body in the OPTIONS response works
               { pass: 1,
                 method: "DELETE",
                 allowMethods: "DELETE",
                 preflightBody: "I'm a preflight response body",
               },
               ];

  if (!runPreflightTests) {
    tests = [];
  }

  for (test of tests) {
    var req = {
      url: baseURL + "allowOrigin=" + escape(test.origin || origin),
      method: test.method,
      headers: test.headers,
      uploadProgress: test.uploadProgress,
      body: test.body,
      responseHeaders: test.responseHeaders,
      withCred: test.withCred ? test.withCred : 0,
    };

    if (test.pass) {
       req.url += "&origin=" + escape(origin) +
                  "&requestMethod=" + test.method;
    }

    if ("username" in test) {
      req.username = test.username;
    }

    if ("password" in test) {
      req.password = test.password;
    }

    if (test.noAllowPreflight)
      req.url += "&noAllowPreflight";

    if (test.allowCred)
      req.url += "&allowCred";

    if (test.pass && "headers" in test) {
      function isUnsafeHeader(name) {
        lName = name.toLowerCase();
        return lName != "accept" &&
               lName != "accept-language" &&
               (lName != "content-type" ||
                !["text/plain",
                 "multipart/form-data",
                 "application/x-www-form-urlencoded"]
                   .includes(test.headers[name].toLowerCase()));
      }
      req.url += "&headers=" + escape(JSON.stringify(test.headers));
      reqHeaders =
        escape(Object.keys(test.headers)
               .filter(isUnsafeHeader)
               .map(s => s.toLowerCase())
               .sort()
               .join(","));
      req.url += reqHeaders ? "&requestHeaders=" + reqHeaders : "";
    }
    if ("allowHeaders" in test)
      req.url += "&allowHeaders=" + escape(test.allowHeaders);
    if ("allowMethods" in test)
      req.url += "&allowMethods=" + escape(test.allowMethods);
    if (test.body)
      req.url += "&body=" + escape(test.body);
    if (test.status) {
      req.url += "&status=" + test.status;
      req.url += "&statusMessage=" + escape(test.statusMessage);
    }
    if (test.preflightStatus)
      req.url += "&preflightStatus=" + test.preflightStatus;
    if (test.responseHeaders)
      req.url += "&responseHeaders=" + escape(JSON.stringify(test.responseHeaders));
    if (test.exposeHeaders)
      req.url += "&exposeHeaders=" + escape(test.exposeHeaders);
    if (test.preflightBody)
      req.url += "&preflightBody=" + escape(test.preflightBody);

    loaderWindow.postMessage(JSON.stringify(req), origin);
    res = JSON.parse(yield);

    if (test.pass) {
      is(res.didFail, false,
        "shouldn't have failed in test for " + JSON.stringify(test));
      if (test.status) {
        is(res.status, test.status, "wrong status in test for " + JSON.stringify(test));
        is(res.statusText, test.statusMessage, "wrong status text for " + JSON.stringify(test));
      }
      else {
        is(res.status, 200, "wrong status in test for " + JSON.stringify(test));
        is(res.statusText, "OK", "wrong status text for " + JSON.stringify(test));
      }
      if (test.method !== "HEAD") {
        is(res.responseXML, "hello pass",
           "wrong responseXML in test for " + JSON.stringify(test));
        is(res.responseText, "hello pass\n",
           "wrong responseText in test for " + JSON.stringify(test));
        is(res.events.join(","),
           "opening,rs1,sending,loadstart,rs2,rs3,rs4,load,loadend",
           "wrong responseText in test for " + JSON.stringify(test));
      }
      else {
        is(res.responseXML, null,
           "wrong responseXML in test for " + JSON.stringify(test));
        is(res.responseText, "",
           "wrong responseText in test for " + JSON.stringify(test));
        is(res.events.join(","),
           "opening,rs1,sending,loadstart,rs2,rs4,load,loadend",
           "wrong responseText in test for " + JSON.stringify(test));
      }
      if (test.responseHeaders) {
        for (header in test.responseHeaders) {
          if (!test.expectedResponseHeaders.includes(header)) {
            is(res.responseHeaders[header], null,
               "|xhr.getResponseHeader()|wrong response header (" + header + ") in test for " +
               JSON.stringify(test));
            is(res.allResponseHeaders[header], undefined,
              "|xhr.getAllResponseHeaderss()|wrong response header (" + header + ") in test for " +
              JSON.stringify(test));
          }
          else {
            is(res.responseHeaders[header], test.responseHeaders[header],
               "|xhr.getResponseHeader()|wrong response header (" + header + ") in test for " +
               JSON.stringify(test));
            is(res.allResponseHeaders[header.toLowerCase()], test.responseHeaders[header],
              "|xhr.getAllResponseHeaderss()|wrong response header (" + header + ") in test for " +
              JSON.stringify(test));
          }
        }
      }
    }
    else {
      is(res.didFail, true,
        "should have failed in test for " + JSON.stringify(test));
      is(res.status, 0, "wrong status in test for " + JSON.stringify(test));
      is(res.statusText, "", "wrong status text for " + JSON.stringify(test));
      is(res.responseXML, null,
         "wrong responseXML in test for " + JSON.stringify(test));
      is(res.responseText, "",
         "wrong responseText in test for " + JSON.stringify(test));
      if (!res.sendThrew) {
        is(res.events.join(","),
           "opening,rs1,sending,loadstart,rs4,error,loadend",
           "wrong events in test for " + JSON.stringify(test));
      }
      is(res.progressEvents, 0,
         "wrong events in test for " + JSON.stringify(test));
      if (test.responseHeaders) {
        for (header in test.responseHeaders) {
          is(res.responseHeaders[header], null,
             "wrong response header (" + header + ") in test for " +
             JSON.stringify(test));
        }
      }
    }
  }

  // Test cookie behavior
  tests = [{ pass: 1,
             method: "GET",
             withCred: 1,
             allowCred: 1,
           },
           { pass: 0,
             method: "GET",
             withCred: 1,
             allowCred: 0,
           },
           { pass: 0,
             method: "GET",
             withCred: 1,
             allowCred: 1,
             origin: "*",
           },
           { pass: 1,
             method: "GET",
             withCred: 0,
             allowCred: 1,
             origin: "*",
           },
           { pass: 1,
             method: "GET",
             setCookie: "a=1; Partitioned; Secure; SameSite=None",
             withCred: 1,
             allowCred: 1,
           },
           { pass: 1,
             method: "GET",
             cookie: "a=1",
             withCred: 1,
             allowCred: 1,
           },
           { pass: 1,
             method: "GET",
             noCookie: 1,
             withCred: 0,
             allowCred: 1,
           },
           { pass: 0,
             method: "GET",
             noCookie: 1,
             withCred: 1,
             allowCred: 1,
           },
           { pass: 1,
             method: "GET",
             setCookie: "a=2; Partitioned; Secure; SameSite=None",
             withCred: 0,
             allowCred: 1,
           },
           { pass: 1,
             method: "GET",
             cookie: "a=1",
             withCred: 1,
             allowCred: 1,
           },
           { pass: 1,
             method: "GET",
             setCookie: "a=2; Partitioned; Secure; SameSite=None",
             withCred: 1,
             allowCred: 1,
           },
           { pass: 1,
             method: "GET",
             cookie: "a=2",
             withCred: 1,
             allowCred: 1,
           },
           ];

  if (!runCookieTests) {
    tests = [];
  }

  for (test of tests) {
    req = {
      url: baseURL + "allowOrigin=" + escape(test.origin || origin),
      method: test.method,
      headers: test.headers,
      withCred: test.withCred,
    };

    if (test.allowCred)
      req.url += "&allowCred";

    if (test.setCookie)
      req.url += "&setCookie=" + escape(test.setCookie);
    if (test.cookie)
      req.url += "&cookie=" + escape(test.cookie);
    if (test.noCookie)
      req.url += "&noCookie";

    if ("allowHeaders" in test)
      req.url += "&allowHeaders=" + escape(test.allowHeaders);
    if ("allowMethods" in test)
      req.url += "&allowMethods=" + escape(test.allowMethods);

    loaderWindow.postMessage(JSON.stringify(req), origin);

    res = JSON.parse(yield);
    if (test.pass) {
      is(res.didFail, false,
        "shouldn't have failed in test for " + JSON.stringify(test));
      is(res.status, 200, "wrong status in test for " + JSON.stringify(test));
      is(res.statusText, "OK", "wrong status text for " + JSON.stringify(test));
      is(res.responseXML, "hello pass",
         "wrong responseXML in test for " + JSON.stringify(test));
      is(res.responseText, "hello pass\n",
         "wrong responseText in test for " + JSON.stringify(test));
      is(res.events.join(","),
         "opening,rs1,sending,loadstart,rs2,rs3,rs4,load,loadend",
         "wrong responseText in test for " + JSON.stringify(test));
    }
    else {
      is(res.didFail, true,
        "should have failed in test for " + JSON.stringify(test));
      is(res.status, 0, "wrong status in test for " + JSON.stringify(test));
      is(res.statusText, "", "wrong status text for " + JSON.stringify(test));
      is(res.responseXML, null,
         "wrong responseXML in test for " + JSON.stringify(test));
      is(res.responseText, "",
         "wrong responseText in test for " + JSON.stringify(test));
      is(res.events.join(","),
         "opening,rs1,sending,loadstart,rs4,error,loadend",
         "wrong events in test for " + JSON.stringify(test));
      is(res.progressEvents, 0,
         "wrong events in test for " + JSON.stringify(test));
    }
  }

  // Make sure to clear cookies to avoid affecting other tests
  document.cookie = "a=; partitioned; secure; samesite=none; path=/; expires=Thu, 01-Jan-1970 00:00:01 GMT"
  is(document.cookie, "", "No cookies should be left over");

  var otherURL = "https://example.net";

  // Test redirects
  tests = [{ pass: 1,
             method: "GET",
             hops: [{ server: otherURL,
                      allowOrigin: origin
                    },
                    ],
           },
           { pass: 0,
             method: "GET",
             hops: [{ server:  otherURL,
                      allowOrigin: origin
                    },
                    { server: origin,
                      allowOrigin: origin
                    },
                    ],
           },
           { pass: 1,
             method: "GET",
             hops: [{ server:  otherURL,
                      allowOrigin: origin
                    },
                    { server: origin,
                      allowOrigin: "*"
                    },
                    ],
           },
           { pass: 0,
             method: "GET",
             hops: [{ server:  otherURL,
                      allowOrigin: origin
                    },
                    { server: origin,
                    },
                    ],
           },
           { pass: 1,
             method: "GET",
             hops: [{ server: origin,
                    },
                    { server: origin,
                    },
                    { server:  otherURL,
                      allowOrigin: origin
                    },
                    ],
           },
           { pass: 0,
             method: "GET",
             hops: [{ server: origin,
                    },
                    { server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin
                    },
                    { server: origin,
                    },
                    ],
           },
           { pass: 0,
             method: "GET",
             hops: [{ server: otherURL,
                      allowOrigin: origin
                    },
                    { server: "https://test3." + originHost + ":443",
                      allowOrigin: origin
                    },
                    { server: "https://sub2.test2." + originHost,
                      allowOrigin: origin
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: origin
                    },
                    ],
           },
           { pass: 0,
             method: "GET",
             hops: [{ server: otherURL,
                      allowOrigin: origin
                    },
                    { server: "https://test3." + originHost + ":443",
                      allowOrigin: origin
                    },
                    { server: "https://sub2.test2." + originHost,
                      allowOrigin: "*"
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: "*"
                    },
                    ],
           },
           { pass: 1,
             method: "GET",
             hops: [{ server: otherURL,
                      allowOrigin: origin
                    },
                    { server: "https://test3." + originHost + ":443",
                      allowOrigin: "*"
                    },
                    { server: "https://sub2.test2." + originHost,
                      allowOrigin: "*"
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: "*"
                    },
                    ],
           },
           { pass: 0,
             method: "GET",
             hops: [{ server: otherURL,
                      allowOrigin: origin
                    },
                    { server: "https://test3." + originHost + ":443",
                      allowOrigin: origin
                    },
                    { server: "https://sub2.test2." + originHost,
                      allowOrigin: "x"
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: origin
                    },
                    ],
           },
           { pass: 0,
             method: "GET",
             hops: [{ server: otherURL,
                      allowOrigin: origin
                    },
                    { server: "https://test3." + originHost + ":443",
                      allowOrigin: origin
                    },
                    { server: "https://sub2.test2." + originHost,
                      allowOrigin: "*"
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: origin
                    },
                    ],
           },
           { pass: 0,
             method: "GET",
             hops: [{ server: otherURL,
                      allowOrigin: origin
                    },
                    { server: "https://test3." + originHost + ":443",
                      allowOrigin: origin
                    },
                    { server: "https://sub2.test2." + originHost,
                      allowOrigin: "*"
                    },
                    { server: "https://sub1.test1." + originHost },
                    ],
           },
           { pass: 1,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain" },
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                    },
                    ],
           },
           { pass: 1,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain",
                        "my-header": "myValue",
                      },
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    ],
           },
           { pass: 0,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain",
                        "my-header": "myValue",
                      },
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    ],
           },
           { pass: 1,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain",
                        "my-header": "myValue",
                      },
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: "*",
                      allowHeaders: "my-header",
                    },
                    ],
           },
           { pass: 1,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain",
                        "my-header": "myValue",
                      },
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    ],
           },
           { pass: 0,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain",
                        "my-header": "myValue",
                      },
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    { server: origin,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    ],
           },
           { pass: 0,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain",
                        "my-header": "myValue",
                      },
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      noAllowPreflight: 1,
                    },
                    ],
           },
           { pass: 1,
             method: "DELETE",
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowMethods: "DELETE",
                    },
                    ],
           },
           { pass: 0,
             method: "DELETE",
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowMethods: "DELETE",
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: origin,
                      allowMethods: "DELETE",
                    },
                    ],
           },
           { pass: 1,
             method: "DELETE",
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowMethods: "DELETE",
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: "*",
                      allowMethods: "DELETE",
                    },
                    ],
           },
           { pass: 1,
             method: "DELETE",
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowMethods: "DELETE",
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowMethods: "DELETE",
                    },
                    ],
           },
           { pass: 0,
             method: "DELETE",
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowMethods: "DELETE",
                    },
                    { server: origin,
                      allowOrigin: origin,
                      allowMethods: "DELETE",
                    },
                    ],
           },
           { pass: 0,
             method: "DELETE",
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowMethods: "DELETE",
                      noAllowPreflight: 1,
                    },
                    ],
           },
           { pass: 0,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain",
                        "my-header": "myValue",
                      },
             hops: [{ server: otherURL,
                      allowOrigin: origin,
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: origin,
                    },
                    ],
           },
           { pass: 0,
             method: "DELETE",
             hops: [{ server: otherURL,
                      allowOrigin: origin,
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: origin,
                    },
                    ],
           },
           { pass: 0,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain",
                        "my-header": "myValue",
                      },
             hops: [{ server: otherURL,
                    },
                    { server: "https://sub1.test1." + originHost,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    ],
           },
           { pass: 1,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain" },
             hops: [{ server: origin,
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                    },
                    ],
           },
           { pass: 0,
             method: "POST",
             body: "hi there",
             headers: { "Content-Type": "text/plain",
                        "my-header": "myValue",
                      },
             hops: [{ server: otherURL,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    { server: origin,
                      allowOrigin: origin,
                      allowHeaders: "my-header",
                    },
                    ],
           },

           // test redirects with different credentials settings
           {
             // Initialize by setting a cookies for same- and cross- origins.
             pass: 1,
             method: "GET",
             hops: [{ server: origin,
                      setCookie: escape("a=1; Partitioned; Secure; SameSite=None"),
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowCred: 1,
                      setCookie: escape("a=2; Partitioned; Secure; SameSite=None"),
                    },
                    ],
             withCred: 1,
           },
           { pass: 1,
             method: "GET",
             hops: [{ server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      noCookie: 1,
                    },
                    ],
             withCred: 0,
           },
           { pass: 1,
             method: "GET",
             hops: [{ server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      allowCred: 1,
                      cookie: escape("a=2"),
                    },
                    ],
             withCred: 1,
           },
           // expected fail because allow-credentials CORS header is not set
           { pass: 0,
             method: "GET",
             hops: [{ server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: otherURL,
                      allowOrigin: origin,
                      cookie: escape("a=2"),
                    },
                    ],
             withCred: 1,
           },
           { pass: 1,
             method: "GET",
             hops: [{ server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: otherURL,
                      allowOrigin: '*',
                      noCookie: 1,
                    },
                    ],
             withCred: 0,
           },
           { pass: 0,
             method: "GET",
             hops: [{ server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: origin,
                      cookie: escape("a=1"),
                    },
                    { server: otherURL,
                      allowOrigin: '*',
                      allowCred: 1,
                      cookie: escape("a=2"),
                    },
                    ],
             withCred: 1,
           },
           ];

  if (!runRedirectTests) {
    tests = [];
  }

  for (test of tests) {
    req = {
      url: test.hops[0].server + basePath + "hop=1&hops=" +
           escape(JSON.stringify(test.hops)),
      method: test.method,
      headers: test.headers,
      body: test.body,
      withCred: test.withCred,
    };

    if (test.pass) {
      if (test.body)
        req.url += "&body=" + escape(test.body);
    }

    loaderWindow.postMessage(JSON.stringify(req), origin);

    res = JSON.parse(yield);
    if (test.pass) {
      is(res.didFail, false,
        "shouldn't have failed in test for " + JSON.stringify(test));
      is(res.status, 200, "wrong status in test for " + JSON.stringify(test));
      is(res.statusText, "OK", "wrong status text for " + JSON.stringify(test));
      is(res.responseXML, "hello pass",
         "wrong responseXML in test for " + JSON.stringify(test));
      is(res.responseText, "hello pass\n",
         "wrong responseText in test for " + JSON.stringify(test));
      is(res.events.join(","),
         "opening,rs1,sending,loadstart,rs2,rs3,rs4,load,loadend",
         "wrong responseText in test for " + JSON.stringify(test));
    }
    else {
      is(res.didFail, true,
        "should have failed in test for " + JSON.stringify(test));
      is(res.status, 0, "wrong status in test for " + JSON.stringify(test));
      is(res.statusText, "", "wrong status text for " + JSON.stringify(test));
      is(res.responseXML, null,
         "wrong responseXML in test for " + JSON.stringify(test));
      is(res.responseText, "",
         "wrong responseText in test for " + JSON.stringify(test));
      is(res.events.join(","),
         "opening,rs1,sending,loadstart,rs4,error,loadend",
         "wrong events in test for " + JSON.stringify(test));
      is(res.progressEvents, 0,
         "wrong progressevents in test for " + JSON.stringify(test));
    }
  }


  SpecialPowers.clearUserPref("network.cookie.sameSite.laxByDefault");
  SpecialPowers.clearUserPref("browser.contentblocking.category");
  SimpleTest.finish();
}

</script>
</pre>
</body>
</html>