Bug 26510 - Add tests for authentication behavior with cross-origin XMLHttpRequest
Summary: Add tests for authentication behavior with cross-origin XMLHttpRequest
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Tools / Tests (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-18 03:02 PDT by Alexey Proskuryakov
Modified: 2009-06-18 13:00 PDT (History)
0 users

See Also:


Attachments
proposed patch (20.28 KB, patch)
2009-06-18 09:38 PDT, Alexey Proskuryakov
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2009-06-18 03:02:30 PDT
We need to test how withCredentials attribute affects XMLHttpRequest.
Comment 1 Alexey Proskuryakov 2009-06-18 09:38:25 PDT
Created attachment 31499 [details]
proposed patch
Comment 2 Maciej Stachowiak 2009-06-18 10:31:03 PDT
Comment on attachment 31499 [details]
proposed patch

r=me
Comment 3 David Levin 2009-06-18 11:08:33 PDT
It looks like mjs gave an r+ while i was looking at this so I'll just send along my comments as an fyi.

> Index: LayoutTests/http/tests/xmlhttprequest/cross-origin-authorization-expected.txt
> ===================================================================
> +Start
> +Trying different ways to access a password protected resource from another origin. The UA already has login and password for this protection space.

It would be nice to indicate the expected result here for anyone running it standalone.  Something like "You should see a several PASSes followed by a DONE."



> Index: LayoutTests/http/tests/xmlhttprequest/cross-origin-authorization.html
> ===================================================================
> +function test()
> +{
> +    log("Trying different ways to access a password protected resource from another origin. The UA already has login and password for this protection space.\n")
> +    log("SCRIPT SRC='...' Should succeed, since authorization is sent for cross-origin subresource loads.");
> +    var scriptElement = document.createElement("script");
> +    scriptElement.setAttribute("src", "http://localhost:8000/xmlhttprequest/resources/cross-origin-authorization.php");
> +    scriptElement.setAttribute("onload", "test_sync_auth_stored()");
> +    scriptElement.setAttribute("onerror", "test_sync_auth_stored()");

Why does it run the function for onload or onerror?


> +    document.body.appendChild(scriptElement);
> +}
> +
> +function test_sync_auth_stored()

testSyncAuthStored seems like it is more consistent with function names (even in js).
Same thing for the other functions in here.


> +
> +function test_async_cookies()
> +{
> +    log("Cross-origin XMLHttpRequest (async), testing cookies.");
> +
> +    var req = new XMLHttpRequest;
> +    req.open("GET", "http://localhost:8000/xmlhttprequest/resources/cross-origin-check-cookies.php", true);
> +    req.withCredentials = true;
> +    req.send();
> +    req.onload = function() {
> +	    log(req.responseText.match(/WK\-cross\-origin/) ? "PASS" : "FAIL");

There is a TAB here.


> Index: LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization.html
> +function test_async_cookies()
> +{
> +    log("Cross-origin XMLHttpRequest (async), testing cookies.");
> +
> +    var req = new XMLHttpRequest;
> +    req.open("GET", "http://localhost:8000/xmlhttprequest/resources/cross-origin-check-cookies.php", true);
> +    req.send();
> +    req.onload = function() {
> +	    log(req.responseText.match(/WK\-cross\-origin/) ? "FAIL" : "PASS");
There is a TAB here.


> Index: LayoutTests/http/tests/xmlhttprequest/resources/cross-origin-authorization.php
> ===================================================================
> +<?php
> +header("Set-Cookie: WK-cross-origin=1");

It seems like it would be nice to only set the cookie after the authorization was checked (after "if (!isset($_SERVER['PHP_AUTH_USER']))").


> +if (!isset($_SERVER['PHP_AUTH_USER'])) {
Why not check the actual user name and password to verify that they were sent correctly?


> Index: LayoutTests/http/tests/xmlhttprequest/resources/cross-origin-check-cookies.php
> ===================================================================
> +if (isset($_COOKIE['WK-cross-origin'])) {
> +    echo 'WK-cross-origin: ' . $_COOKIE['WK-cross-origin'];
> +} else {
> +	echo 'Cross-origin cookie was not sent.';
TAB.


> Index: LayoutTests/http/tests/xmlhttprequest/resources/cross-origin-no-authorization.php
> ===================================================================

Same comments as above for the similar code.
Comment 4 Alexey Proskuryakov 2009-06-18 13:00:12 PDT
Committed revision 44816.

Note that Firefox fails some of the tests - it doesn't send cookies even when withCredentials is true, and raises an exception when trying to specify cross-site credentials explicitly (which we silently ignore).

(In reply to comment #3)
> It would be nice to indicate the expected result here for anyone running it
> standalone.  Something like "You should see a several PASSes followed by a
> DONE."

Done.

> Why does it run the function for onload or onerror?

It's going to the next test regardless of whether the current one passed.

> testSyncAuthStored seems like it is more consistent with function names (even
> in js).
> Same thing for the other functions in here.

I like to be inconsistent in tests - what if someone accidentally modifies JS parser in a way that it no longer supports underscores?

> It seems like it would be nice to only set the cookie after the authorization
> was checked (after "if (!isset($_SERVER['PHP_AUTH_USER']))").

I'm not sure. The current code kind sends a signal that the cookie may be set before you expect it to - and that's the case because several tests set it anyway.

> > +if (!isset($_SERVER['PHP_AUTH_USER'])) {
> Why not check the actual user name and password to verify that they were sent
> correctly?

There are several user names used in the tests.

Thank you for your comments!