QA/Firefox3.5/XHR TestPlan: Difference between revisions

Jump to navigation Jump to search

QA/Firefox3.5/XHR TestPlan (view source)

Revision as of 00:28, 10 October 2008

461 bytes added ,  10 October 2008
no edit summary
No edit summary
No edit summary
Line 27: Line 27:


== Test Cases ==
== Test Cases ==
* {{done|Test various values of origin}}
* {{done|Ensure preflight req gets fired when try a REQ that is not GET or POST}}
* {{done|Ensure preflight req gets fired when try a REQ that is not GET or POST}}
* {{done|Ensure prelight req gets fired when REQ with header not in whitelist}}
* {{done|Ensure prelight req gets fired when REQ with header not in whitelist}}
* Ensure that in a situation where preflight is forced to be true (due to update progress listeners) we still do that even though everything else about our REQ is simple XSS  
* {{done|Ensure that in a situation where preflight is forced to be true (due to update progress listeners) we still do that even though everything else about our REQ is simple XSS}}
* test error handling when we get a XSS REQ and get a header not in RESP header whitelist - ensure both looking for specific header and looking for all headers doesn't display the header
* {{done|test error handling when we get a XSS REQ and get a header not in RESP header whitelist - ensure both looking for specific header and looking for all headers doesn't display the header}}
* attempt to fake the origin on the REQ
* attempt to fake the origin on the REQ
* {{skip|redirects (see redirect cases below)}}
* {{skip|redirects (see redirect cases below)}}
Line 37: Line 38:
* {{done|test expiration of a access-control-max-age header from a result cache}}
* {{done|test expiration of a access-control-max-age header from a result cache}}
* test with access-control-allow-credentials as both true and false
* test with access-control-allow-credentials as both true and false
* use access-control-allow-methods to ensure only specified methods work (disable get for ex)
* {{done|use access-control-allow-methods to ensure only specified methods work}}
* {{done|do the same with *-headers.}}
* {{done|do the same with *-headers.}}
* test correct request with an origin from evil.com and see if the specification blocks the request (isn't that part of the server code and outside our control?)
* test correct request with an origin from evil.com and see if the specification blocks the request (isn't that part of the server code and outside our control?)
Line 47: Line 48:


=== Simple XSS XHR ===
=== Simple XSS XHR ===
* preflight false, REQ method GET && headers in whitelist --> work
* {{done|preflight false, REQ method GET && headers in whitelist --> work}}
* preflight false, REQ method HEAD && headers in whitelist --> work
* preflight false, REQ method HEAD && headers in whitelist --> work
** ensure we get the "success" status flag
** ensure we get the "success" status flag
* {{done|preflight false, REQ method GET && headers ! in whitelist --> preflight}}
* {{done|preflight false, REQ method GET && headers ! in whitelist --> preflight}}
* preflight false, REQ method HEAD && headers ! in whitelist --> preflight
* preflight false, REQ method HEAD && headers ! in whitelist --> preflight
* preflight false, REQ method POST && headers ! in whitelist -- preflight
* {{done|preflight false, REQ method POST && headers ! in whitelist -- preflight}}
* preflight false, REQ method POST && headers in whitelist && Header contains content-type but value of content-type != (application/x-www-form-urlencoded, multipart/form-dat, or text/plain) --> preflight
* {{done|preflight false, REQ method POST && headers in whitelist && Header contains content-type but value of content-type != (application/x-www-form-urlencoded, multipart/form-dat, or text/plain) --> preflight}}
** the above with content-type == to each of those three things --> work
** the above with content-type == to each of those three things --> work
*** {{done|content-type == text/plain}}
*** content-type == application/x-www-form-urlencoded
*** content-type == multipart/form-data
* getResponseHeader() does not get access to cookie2 header and othe headers not in RESP whitelist
* getResponseHeader() does not get access to cookie2 header and othe headers not in RESP whitelist
* cause a user cancel and ensure abort steps followed
* cause a user cancel and ensure abort steps followed
Line 62: Line 66:
=== Preflight XSS XHR ===
=== Preflight XSS XHR ===
* {{done|test using a cached entry after the time has expired --> should get a notification of failure that you need to preflight again}}
* {{done|test using a cached entry after the time has expired --> should get a notification of failure that you need to preflight again}}
* test that a method name matches case insensitively
* {{done|test that a method name matches case insensitively}}
* test that headers match case insensitively
* {{done|test that every header name matches header in the cache}}
* {{done|test that every header name matches header in the cache}}
* test when both a header and a method are specified that we match the proper one
* {{done|test when both a header and a method are specified that we match the proper one}}
* {{done|test that if no expiration time given, no cache entry made}}
* {{done|test that when we do not have all the headers in our request that are in the cache --> cache fail}}
* {{done|test that when we do not have all the headers in our request that are in the cache --> cache fail}}
* test that we do not have a method that matches --> cache fail
* {{done|test that we do not have a method that matches --> cache fail}}
* {{done|test that multiple methods can be cached and retrieved}}
* {{done|test that both header and method are empty when they are not empty in the cache --> cache fail}}
* {{done|test that both header and method are empty when they are not empty in the cache --> cache fail}}
* can we make a preflight with credentials?  Should fail, should not be allowed
* can we make a preflight with credentials?  Should fail, should not be allowed
Line 75: Line 82:
* test network error
* test network error
* test access control fail --> ensure cache and network steps followed
* test access control fail --> ensure cache and network steps followed
* test failure to parse methods (value with a space for instance) when parsing the access-control-allow-methods values --> cache and network steps
* {{done|test failure to parse methods (value with a space for instance) when parsing the access-control-allow-methods values --> cache and network steps}}
* test failure to parse headers when parsing access-control-headers --> cache and network steps
* test failure to parse headers when parsing access-control-headers --> cache and network steps
* {{done|test that every REQ header does not match headers --> cache & network steps}}
* {{done|test that every REQ header does not match headers --> cache & network steps}}
Line 83: Line 90:
* if actual req canceled -> abort
* if actual req canceled -> abort
* if actual req network error -> network eror
* if actual req network error -> network eror
* if actuql req access check fails -> cache & network steps
* if actual req access check fails -> cache & network steps
* test that an actual req can pass
* test that an actual req can pass


Line 119: Line 126:
* test wit credentials flag == true && 0 access-control-allow-origin hdr --> fail
* test wit credentials flag == true && 0 access-control-allow-origin hdr --> fail
* test wit credentials flag == true && >1 access-control-allow-origin hdr --> fail
* test wit credentials flag == true && >1 access-control-allow-origin hdr --> fail
* test with credentials flag == true && access-control-allow-credentials is not true __> fail
* {{done|test with credentials flag == true && access-control-allow-credentials is not true __> fail}}
* test with credentials flag == true && access-control-allow-credentials == true && 0 access-control-allow-origin --> fail
* test with credentials flag == true && access-control-allow-credentials == true && 0 access-control-allow-origin --> fail
* test with credentials flag == true && access-control-allow-credentials == true && >1 access-control-allow-origin --> fail
* test with credentials flag == true && access-control-allow-credentials == true && >1 access-control-allow-origin --> fail
* test with credentials flag == true && access-control-allow-credentials == true && 1 access-control-allow-origin --> pass
* {{done|test with credentials flag == true && access-control-allow-credentials == true && 1 access-control-allow-origin --> pass}}
* test with credentials flag == false && access-control-allow-credentials==true && 1 access-control-allow-origin --> pass (as per the spec, unspecified case)
* test with credentials flag == false && access-control-allow-credentials==true && 1 access-control-allow-origin --> pass (as per the spec, unspecified case)
* test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == true --> pass
* {{done|test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == true --> pass}}
* test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == false --> pass
* test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == false --> pass
* test with access-control-allow-origin == * && credentials flag == true && access-allow-credentials == true --> pass
* {{done|test with access-control-allow-origin == * && credentials flag == true && access-allow-credentials == true --> pass}}


=== Redirect Steps ===
=== Redirect Steps ===
Ctalbert
Confirmed users
3,816

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/111970"

Navigation menu