From 334562ef9936708f5be39159f2e1befb967d6fc9 Mon Sep 17 00:00:00 2001 From: Andrea Marchesini Date: Thu, 11 Oct 2012 13:45:37 -0400 Subject: [PATCH] Bug 799540 - Cross-domain XHR with authentication allowed. r=bz, a=bajaj --- content/base/src/nsXMLHttpRequest.cpp | 2 ++ content/base/test/bug282547.sjs | 4 ++++ content/base/test/test_bug282547.html | 18 +++++++++++++++++- 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp index 4d440115b493..f932452fc0ea 100644 --- a/content/base/src/nsXMLHttpRequest.cpp +++ b/content/base/src/nsXMLHttpRequest.cpp @@ -3826,9 +3826,11 @@ nsXMLHttpRequest::GetInterface(const nsIID & aIID, void **aResult) // If authentication fails, XMLHttpRequest origin and // the request URL are same origin, ... + /* Disabled - bug: 799540 if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) { showPrompt = false; } + */ // ... Authorization is not in the list of author request headers, ... if (showPrompt) { diff --git a/content/base/test/bug282547.sjs b/content/base/test/bug282547.sjs index b4908b0b1d39..8476a61724cd 100644 --- a/content/base/test/bug282547.sjs +++ b/content/base/test/bug282547.sjs @@ -1,5 +1,9 @@ function handleRequest(request, response) { response.setStatusLine(null, 401, "Unauthorized"); + response.setHeader("WWW-Authenticate", "basic realm=\"restricted\"", false); + + response.setHeader("Access-Control-Allow-Origin", "*", false); + response.setHeader("Access-Control-Allow-Credentials", "true", false); } diff --git a/content/base/test/test_bug282547.html b/content/base/test/test_bug282547.html index ca6e23d79ae3..0329633f942c 100644 --- a/content/base/test/test_bug282547.html +++ b/content/base/test/test_bug282547.html @@ -65,10 +65,26 @@ function xhr_auth_header_async() { xhr.send(null); } +function xhr_crossorigin_sync() { + var xhr = new XMLHttpRequest(); + xhr.open('GET', 'http://example.com/tests/content/base/test/bug282547.sjs', true); + xhr.withCredentials = true; + + xhr.onreadystatechange = function() { + if (xhr.readyState == 4) { + ok(xhr.status == 401, "Status 401"); + runTests(); + } + } + + xhr.send(null); +} + var tests = [ xhr_userpass_sync, xhr_userpass_async, xhr_auth_header_sync, - xhr_auth_header_async ]; + xhr_auth_header_async, + /* Disabled: bug799540 xhr_crossorigin_sync */ ]; function runTests() { if (!tests.length) { SimpleTest.finish();