| Austin James Ahlstrom | bef4a9d | 2017-08-31 05:17:17 | [diff] [blame] | 1 | <!DOCTYPE html> |
| 2 | <html> |
| 3 | <head> |
| 4 | <title>Async request denied at preflight because of non-CORS-safelisted header</title> |
| 5 | <script src="/resources/testharness.js"></script> |
| 6 | <script src="/resources/testharnessreport.js"></script> |
| 7 | <script src="/common/get-host-info.sub.js"></script> |
| 8 | <script src="/common/utils.js"></script> |
| 9 | </head> |
| 10 | <body> |
| 11 | <script type="text/javascript"> |
| 12 | const uuid = token(); |
| 13 | const url = get_host_info().HTTP_REMOTE_ORIGIN + |
| Philip Jägenstedt | 2cb86af | 2018-01-06 16:35:27 | [diff] [blame] | 14 | "/xhr/resources/access-control-preflight-denied.py?token=" + uuid; |
| Austin James Ahlstrom | bef4a9d | 2017-08-31 05:17:17 | [diff] [blame] | 15 | |
| 16 | async_test((test) => { |
| 17 | let xhr = new XMLHttpRequest; |
| 18 | xhr.open("GET", url + "&command=reset", false); |
| 19 | xhr.send(); |
| 20 | |
| 21 | xhr = new XMLHttpRequest; |
| 22 | xhr.open("GET", url + "&command=header", true); |
| 23 | xhr.setRequestHeader("x-test", "foo"); |
| 24 | |
| 25 | xhr.onload = test.unreached_func( |
| 26 | "Cross-domain access with custom header allowed without throwing exception"); |
| 27 | |
| 28 | xhr.onerror = test.step_func_done(() => { |
| 29 | xhr = new XMLHttpRequest; |
| 30 | xhr.open("GET", url + "&command=complete", false); |
| 31 | xhr.send(); |
| 32 | assert_equals(xhr.responseText, "Request successfully blocked."); |
| 33 | }); |
| 34 | |
| 35 | xhr.send(); |
| 36 | }, "Async request denied at preflight"); |
| 37 | </script> |
| 38 | </body> |
| 39 | </html> |
