Source code

Revision control

Copy as Markdown

Other Tools

Test Info:

<!DOCTYPE html>
<meta charset=utf-8>
<title>CORS - 304 Responses</title>
<meta name="timeout" content="long">
<meta name=author title="Mark Nottingham" href="mailto:mnot@mnot.net">
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js?pipe=sub></script>
<h1>CORS - 304 Responses</h1>
<div id=log></div>
<script>
/*
* 304 Responses
*/
// A header used to correlate requests and responses
var state_header = "content-language"
/* Make a request; call ready(client) when done */
function req(url, id, t, ready) {
var client = new XMLHttpRequest()
client.open('GET', url, true)
client.setRequestHeader(state_header, id)
client.send()
client.onreadystatechange = function() {
if (client.readyState == client.DONE) {
t.step(function() {
assert_not_equals(client.status, 299, "req " + id + " server says: " + client.responseText)
})
ready(client)
}
}
return client
}
/*
* Make two requests to test cache behaviour.
* The second is made after the first is done and a delay, to make sure it gets into cache.
*/
function two_reqs(id1, id2, should_have_same_body, t, done) {
var rand = Date.now()
var url = CROSSDOMAIN + 'resources/304.py?id=' + id1 + '&r=%s' + rand
var client1 = req(url, id1, t, function(client1) {
t.step(function() {
assert_equals(client1.response, "Success", "didn't get successful 1st response;")
assert_equals(client1.getResponseHeader(state_header), id1, "1st response didn't come from server;")
})
t.step_timeout(function() {
req(url, id2, t, function(client2) {
t.step(function() {
if (should_have_same_body) {
assert_equals(client1.response, client2.response, "response bodies were different;")
// var res_id2 = client2.getResponseHeader(state_header)
// assert_not_equals(res_id2, id1, "2nd response doesn't appear to have updated cached headers;")
// assert_not_equals(res_id2, null, "2nd response didn't expose request identifier;")
// assert_equals(res_id2, id2, "2nd response is associated with a different request (!);")
}
done(client1, client2)
})
t.done()
})
}, 5000)
})
}
async_test(function(t) {
two_reqs('1', '2', true, t, function(client1, client2) {
assert_equals(client1.getResponseHeader("A"), null, "'A' header exposed without permission;")
})
}, "A 304 response with no CORS headers inherits from the stored response")
async_test(function(t) {
two_reqs('3', '4', true, t, function(client1, client2) {
assert_equals(client2.getResponseHeader("A"), "4", "304 didn't expose 'A' header, even though allowed;")
assert_equals(client2.getResponseHeader("B"), "4", "304 didn't expose 'B' header even though allowed;")
})
}, "A 304 can expand Access-Control-Expose-Headers")
async_test(function(t) {
two_reqs('5', '6', true, t, function(client1, client2) {
assert_equals(client2.getResponseHeader("B"), null, "2nd 304 exposed 'B' header;")
})
}, "A 304 can contract Access-Control-Expose-Headers")
async_test(function(t) {
two_reqs('7', '8', false, t, function(client1, client2) {
assert_not_equals(client1.response, client2.response, "Access granted even though 304 updated it to disallow;")
})
}, "A 304 can change Access-Control-Allow-Origin")
</script>