W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: CORS test status

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 29 Sep 2012 00:05:34 -0400
Message-ID: <5066738E.1010805@mit.edu>
To: gopal.raghavan@nokia.com
CC: public-webappsec@w3.org
On 9/25/12 1:35 PM, gopal.raghavan@nokia.com wrote:
> You can run all the CORS testes using testRunner.
> http://w3c-test.org/webappsec/tests/testRunner/

Here's a report on these tests from someone who actually went through 
the various failures in Firefox.  Short story is that it looks like the 
tests were deployed incorrectly, since they are systematically buggy in 
the same way in many cases, and the server they are deployed in does not 
support all the server-side behavior the tests depend on.

Report looks like this:

1 of 5 failed test - because the server does not respond with: 
Access-Control-Allow-Header (TEST ERROR)

5 of 5 failed: same reason. (TEST ERROR)

3 of 6 failed: same reason (TEST ERROR)

3 of 15 failed:
1. 'x-custom-header-bytes' has this byte sequence: "\xE2\x80\xA6" but on 
JS this is interpreted as unicode ''.  This is a Gecko bug
2. 'x-custom-header-empty' is not part of the response. It is null but 
the test wants to have it as '' (empty string) just because it's listed 
in Access-Control-Expose-Headers.  (TEST ERROR)
3. 'x-custom-header' is just listed on Access-Control-Expose-Headers but 
it's not used in the response. For us it is null for the test it should 
not be null. (TEST ERROR)

1 failed - same reason as before (TEST ERROR)

all failed for the same reason (TEST ERROR)

many fails just because the server doesn't allow PUT and other methods. 

many failed: XHR doesn't have this property client.HEADERS_RECIEVED. 
Javascript error (TEST ERROR) [NOTE: this is just a typo; should be 

Received on Saturday, 29 September 2012 04:06:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:29 UTC