W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: CORS test status

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 29 Sep 2012 00:05:34 -0400
Message-ID: <5066738E.1010805@mit.edu>
To: gopal.raghavan@nokia.com
CC: public-webappsec@w3.org
On 9/25/12 1:35 PM, gopal.raghavan@nokia.com wrote:
> You can run all the CORS testes using testRunner.
>
> http://w3c-test.org/webappsec/tests/testRunner/

Here's a report on these tests from someone who actually went through 
the various failures in Firefox.  Short story is that it looks like the 
tests were deployed incorrectly, since they are systematically buggy in 
the same way in many cases, and the server they are deployed in does not 
support all the server-side behavior the tests depend on.

Report looks like this:

http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status.htm
1 of 5 failed test - because the server does not respond with: 
Access-Control-Allow-Header (TEST ERROR)

http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/preflight-cache.htm
5 of 5 failed: same reason. (TEST ERROR)

http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/request.htm
3 of 6 failed: same reason (TEST ERROR)

http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/response.htm
3 of 15 failed:
1. 'x-custom-header-bytes' has this byte sequence: "\xE2\x80\xA6" but on 
JS this is interpreted as unicode ''.  This is a Gecko bug
2. 'x-custom-header-empty' is not part of the response. It is null but 
the test wants to have it as '' (empty string) just because it's listed 
in Access-Control-Expose-Headers.  (TEST ERROR)
3. 'x-custom-header' is just listed on Access-Control-Expose-Headers but 
it's not used in the response. For us it is null for the test it should 
not be null. (TEST ERROR)

http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status-errors.htm
1 failed - same reason as before (TEST ERROR)

http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status-preflight.htm
all failed for the same reason (TEST ERROR)

http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status-async.htm
many fails just because the server doesn't allow PUT and other methods. 
  (TEST ERROR)

http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status-async.htm
many failed: XHR doesn't have this property client.HEADERS_RECIEVED. 
Javascript error (TEST ERROR) [NOTE: this is just a typo; should be 
"HEADERS_RECEIVED".  --bz]

-Boris
Received on Saturday, 29 September 2012 04:06:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 29 September 2012 04:06:07 GMT