Bug 799540 - Cross-domain XHR with authentication allowed. r=bz, a=bajaj

content/base/src/nsXMLHttpRequest.cpp

@@ -3826,9 +3826,11 @@ nsXMLHttpRequest::GetInterface(const nsIID & aIID, void **aResult)
 
     // If authentication fails, XMLHttpRequest origin and
     // the request URL are same origin, ...
+    /* Disabled - bug: 799540
     if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
       showPrompt = false;
     }
+    */
 
     // ... Authorization is not in the list of author request headers, ...
     if (showPrompt) {

content/base/test/bug282547.sjs

@@ -1,5 +1,9 @@
 function handleRequest(request, response)
 {
   response.setStatusLine(null, 401, "Unauthorized");
+
   response.setHeader("WWW-Authenticate", "basic realm=\"restricted\"", false);
+
+  response.setHeader("Access-Control-Allow-Origin", "*", false);
+  response.setHeader("Access-Control-Allow-Credentials", "true", false);
 }

content/base/test/test_bug282547.html

@@ -65,10 +65,26 @@ function xhr_auth_header_async() {
   xhr.send(null);
 }
 
+function xhr_crossorigin_sync() {
+  var xhr = new XMLHttpRequest();
+  xhr.open('GET', 'http://example.com/tests/content/base/test/bug282547.sjs', true);
+  xhr.withCredentials = true;
+
+  xhr.onreadystatechange = function() {
+    if (xhr.readyState == 4) {
+      ok(xhr.status == 401, "Status 401");
+      runTests();
+    }
+  }
+
+  xhr.send(null);
+}
+
 var tests = [ xhr_userpass_sync,
               xhr_userpass_async,
               xhr_auth_header_sync,
-              xhr_auth_header_async ];
+              xhr_auth_header_async,
+              /* Disabled: bug799540 xhr_crossorigin_sync */ ];
 function runTests() {
   if (!tests.length) {
     SimpleTest.finish();