- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sat, 29 Sep 2012 00:05:34 -0400
- To: gopal.raghavan@nokia.com
- CC: public-webappsec@w3.org
On 9/25/12 1:35 PM, gopal.raghavan@nokia.com wrote: > You can run all the CORS testes using testRunner. > > http://w3c-test.org/webappsec/tests/testRunner/ Here's a report on these tests from someone who actually went through the various failures in Firefox. Short story is that it looks like the tests were deployed incorrectly, since they are systematically buggy in the same way in many cases, and the server they are deployed in does not support all the server-side behavior the tests depend on. Report looks like this: http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status.htm 1 of 5 failed test - because the server does not respond with: Access-Control-Allow-Header (TEST ERROR) http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/preflight-cache.htm 5 of 5 failed: same reason. (TEST ERROR) http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/request.htm 3 of 6 failed: same reason (TEST ERROR) http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/response.htm 3 of 15 failed: 1. 'x-custom-header-bytes' has this byte sequence: "\xE2\x80\xA6" but on JS this is interpreted as unicode '…'. This is a Gecko bug 2. 'x-custom-header-empty' is not part of the response. It is null but the test wants to have it as '' (empty string) just because it's listed in Access-Control-Expose-Headers. (TEST ERROR) 3. 'x-custom-header' is just listed on Access-Control-Expose-Headers but it's not used in the response. For us it is null for the test it should not be null. (TEST ERROR) http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status-errors.htm 1 failed - same reason as before (TEST ERROR) http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status-preflight.htm all failed for the same reason (TEST ERROR) http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status-async.htm many fails just because the server doesn't allow PUT and other methods. (TEST ERROR) http://w3c-test.org/webappsec/tests/cors/submitted/opera/js/status-async.htm many failed: XHR doesn't have this property client.HEADERS_RECIEVED. Javascript error (TEST ERROR) [NOTE: this is just a typo; should be "HEADERS_RECEIVED". --bz] -Boris
Received on Saturday, 29 September 2012 04:06:06 UTC