- From: Odin Hørthe Omdal <odinho@opera.com>
- Date: Sun, 14 Apr 2013 04:08:45 +0200
- To: public-webappsec-testsuite@w3.org
On Sun, Apr 14, 2013, at 2:12, Hill, Brad wrote: > No worries. I'm hacking at a Test The Web Forward event in Seattle > today, and thought I'd try to work on some of the outstanding bugs in the > CORS suite. > > Also, I found out now that these tests appear to pass on the public > server, but fail on the test VM. Digging into it, I see it is because > the public server completely strips the Access-Control-Allow-Origin > header when it has a null byte (either the PHP or Apache version is > different in this regard) but the VM, with a slightly different version > of PHP and Apache, sends the header and strips the null byte. > > (see attached traces) > > I think these are tests are therefore even more questionable since they > seem to depend on server behavior in this regard. No, that is the wrong way to look at it :-) It's not the tests that are wrong, it's the server setup then. The W3C apache server is known to be useless for some parts of the CORS tests. That's why I have them on my own server. I've had a power outage since last time, and also I still haven't set up HTTPS, so some tests are expected to fail because of that server setup. But mostly the OPTIONS tests that fail at the w3c-test.org server because of bad configuration works from my server: http://test.s0.no/w3c-tests/webappsec/tests/cors/submitted/opera/staging/testrunner.html Also found out that these tests are not really all that tolerant to high latency, and since that is running from my server behind the TV in my childhood home - people far away from Europe might not always get the best results :P The fix is obviously to fix w3c-test.org, but last time it was a bit hard. Maybe there's fresh energy to start again on it now. You should also check the report: http://odinho.html5.org/CORS/testsuite-report.html Where you find deviations, there might be bugs lurking. We should take a good look at the \0 issue. But we should have some tests for it. If you're still at the TestTWF event you are very free to either expand with a few new tests or fix the issues that currently exist in this one. Since we're not on GitHub yet, the process is not that smooth, but it can become that. I have reviewed three pull requests from the event already, so I'll wait for some hot stuff from you too then? :D [ I'm the worst just-go-to-bed'er ever ] -- Odin Hørthe Omdal odinho@opera.com
Received on Sunday, 14 April 2013 02:09:07 UTC