From b8c26cb9904c57a938105a4076e8c616c0e4583b Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Mon, 13 Mar 2017 09:03:51 +0100 Subject: [PATCH] CORS: change userinfo tests due to URL parser changes In particular empty string password is now the same as not having a password. --- cors/redirect-userinfo.htm | 31 ++++++++++--------------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/cors/redirect-userinfo.htm b/cors/redirect-userinfo.htm index 1775d30dfb12509..fd3864d2497a679 100644 --- a/cors/redirect-userinfo.htm +++ b/cors/redirect-userinfo.htm @@ -16,27 +16,27 @@

CORS userinfo redirect handling

// Test count for cache busting and easy identifying of request in traffic analyzer var num_test = 0 - shouldFail("Disallow redirect with userinfo (//user:pass@)", [ + shouldFail("Disallow redirect with userinfo (user:pass@)", [ CROSSDOMAIN + "resources/cors-makeheader.py?", CROSSDOMAIN.replace("http://", "http://test:test@") + "resources/cors-makeheader.py?"]); - shouldFail("Disallow redirect with userinfo (//user:@)", [ + shouldFail("Disallow redirect with userinfo (user:@)", [ CROSSDOMAIN + "resources/cors-makeheader.py?", CROSSDOMAIN.replace("http://", "http://user:@") + "resources/cors-makeheader.py?"]); - shouldFail("Disallow redirect with userinfo (//user@)", [ + shouldFail("Disallow redirect with userinfo (user@)", [ CROSSDOMAIN + "resources/cors-makeheader.py?", CROSSDOMAIN.replace("http://", "http://user:@") + "resources/cors-makeheader.py?"]); - shouldFail("Disallow redirect with userinfo (//:@)", [ + shouldPass("Allow redirect without userinfo (:@ is trimmed during URL parsing)", [ CROSSDOMAIN + "resources/cors-makeheader.py?", CROSSDOMAIN.replace("http://", "http://:@") + "resources/cors-makeheader.py?"]); - shouldFail("Disallow redirect with userinfo (//:pass@)", [ + shouldFail("Disallow redirect with userinfo (:pass@)", [ CROSSDOMAIN + "resources/cors-makeheader.py?", CROSSDOMAIN.replace("http://", "http://:pass@") + "resources/cors-makeheader.py?"]); - shouldPass("Allow redirect with userinfo (//@)", [ + shouldPass("Allow redirect without userinfo (@ is trimmed during URL parsing)", [ CROSSDOMAIN + "resources/cors-makeheader.py?", CROSSDOMAIN.replace("http://", "http://@") + "resources/cors-makeheader.py?"]); @@ -51,12 +51,8 @@

CORS userinfo redirect handling

client.open('GET', buildURL(urls, test_id)); - client.onload = t.step_func(function() { - assert_false(!!client.response, "Got response"); - }); - client.onerror = t.step_func(function(e) { - t.done(); - }); + client.onload = t.unreached_func(); + client.onerror = t.step_func_done(); client.send(null) }); @@ -73,14 +69,11 @@

CORS userinfo redirect handling

client.open('GET', buildURL(urls, test_id)); - client.onreadystatechange = t.step_func(function() { - if (client.readyState != client.DONE) - return; - assert_true(!!client.response, "Got response"); + client.onload = t.step_func_done(function() { r = JSON.parse(client.response) assert_equals(r['get_value'], 'last', 'get_value') - t.done(); }); + client.onerror = t.unreached_func() client.send(null) }); } @@ -88,10 +81,6 @@

CORS userinfo redirect handling

function buildURL(urls, id) { var tmp_url; - if (typeof(urls) == "string") { - return urls + "&" + id + "_0"; - } - for (var i = urls.length; i--; ) { if (!tmp_url) {