MozillaWiki

QA/Firefox3.5/XHR TestPlan: Difference between revisions

Page Discussion

QA/Firefox3.5/XHR TestPlan (view source)

Revision as of 23:59, 9 October 2008

236 bytes added ,  9 October 2008
no edit summary
No edit summary
No edit summary
Line 27: Line 27:


== Test Cases ==
== Test Cases ==
* Ensure preflight req gets fired when try a REQ that is not GET or POST
* {{done|Ensure preflight req gets fired when try a REQ that is not GET or POST}}
* Ensure prelight req gets fired when REQ with header not in whitelist
* {{done|Ensure prelight req gets fired when REQ with header not in whitelist}}
* Ensure that in a situation where preflight is forced to be true (due to update progress listeners) we still do that even though everything else about our REQ is simple XSS  
* Ensure that in a situation where preflight is forced to be true (due to update progress listeners) we still do that even though everything else about our REQ is simple XSS  
* test error handling when we get a XSS REQ and get a header not in RESP header whitelist - ensure both looking for specific header and looking for all headers doesn't display the header
* test error handling when we get a XSS REQ and get a header not in RESP header whitelist - ensure both looking for specific header and looking for all headers doesn't display the header
Line 35: Line 35:
* Cannot get document.cookie of requested resource
* Cannot get document.cookie of requested resource
* Ensure no trusted data ever exposed of the resource
* Ensure no trusted data ever exposed of the resource
* resource with two access-control-allow-origin headers one with site and one with * -> should be relegated only to the site one
* {{done|test expiration of a access-control-max-age header from a result cache}}
* test expiration of a access-control-max-age header from a result cache
* test with access-control-allow-credentials as both true and false
* test with access-control-allow-credentials as both true and false
* use access-control-allow-methods to ensure only specified methods work (disable get for ex)
* use access-control-allow-methods to ensure only specified methods work (disable get for ex)
* do the same with *-headers.
* {{done|do the same with *-headers.}}
* test correct request with an origin from evil.com and see if the specification blocks the request (isn't that part of the server code and outside our control?)
* test correct request with an origin from evil.com and see if the specification blocks the request (isn't that part of the server code and outside our control?)
* test access-control-request-method/-header to ensure that non-allowed method/headers are blocked from the actual request as part of the pre-flight
*{{done|test access-control-request-method/-header to ensure that non-allowed method/headers are blocked from the actual request as part of the pre-flight}}
* XMLHttpRequest::getResponseHeader() does not have access to the Cookie2 header and other headers not on Response Header whitelist
* XMLHttpRequest::getResponseHeader() does not have access to the Cookie2 header and other headers not on Response Header whitelist
* Attempt to set a cookie on the REQ
* Attempt to set a cookie on the REQ
* Ensure we have a test for a proper access-control-allow-origin header
* {{done|Ensure we have a test for a proper access-control-allow-origin header}}
* Can we simply create a testcase where we attempt a REQ without an origin?
* Can we simply create a testcase where we attempt a REQ without an origin?


=== Simple XSS XHR ===
=== Simple XSS XHR ===
* preflight false, REQ method GET||HEAD && headers in whitelist --> work
* preflight false, REQ method GET && headers in whitelist --> work
* preflight false, REQ method HEAD && headers in whitelist --> work
** ensure we get the "success" status flag
** ensure we get the "success" status flag
* preflight false, REQ method GET||HEAD && headers ! in whitelist --> preflight
* {{done|preflight false, REQ method GET && headers ! in whitelist --> preflight}}
* preflight false, REQ method HEAD && headers ! in whitelist --> preflight
* preflight false, REQ method POST && headers ! in whitelist -- preflight
* preflight false, REQ method POST && headers ! in whitelist -- preflight
* preflight false, REQ method POST && headers in whitelist && Header contains content-type but value of content-type != (application/x-www-form-urlencoded, multipart/form-dat, or text/plain) --> preflight
* preflight false, REQ method POST && headers in whitelist && Header contains content-type but value of content-type != (application/x-www-form-urlencoded, multipart/form-dat, or text/plain) --> preflight
** the abov with content-type == to each of those three things --> work
** the above with content-type == to each of those three things --> work
* getResponseHeader() does not get access to cookie2 header and othe headers not in RESP whitelist
* getResponseHeader() does not get access to cookie2 header and othe headers not in RESP whitelist
* cause a user cancel and ensure abort steps followed
* cause a user cancel and ensure abort steps followed
Line 60: Line 61:


=== Preflight XSS XHR ===
=== Preflight XSS XHR ===
* test using a cached entry after the time has expired --> should get a notification of failure that you need to preflight again
* {{done|test using a cached entry after the time has expired --> should get a notification of failure that you need to preflight again}}
* test that a method name matches case insensitively
* test that a method name matches case insensitively
* test that every header name matches header in the cache
* {{done|test that every header name matches header in the cache}}
* test when both a header and a method are specified that we match the proper one
* test when both a header and a method are specified that we match the proper one
* test that when we do not have all the headers in our request that are in the cache --> cache fail
* {{done|test that when we do not have all the headers in our request that are in the cache --> cache fail}}
* test that we do not have a method that matches --> cache fail
* test that we do not have a method that matches --> cache fail
* test that both header and method are empty when they are not empty in the cache --> cache fail
* {{done|test that both header and method are empty when they are not empty in the cache --> cache fail}}
* can we make a preflight with credentials?  Should fail, should not be allowed
* can we make a preflight with credentials?  Should fail, should not be allowed
* can we make a preflight with an entity body? should fail, should not be allowed
* can we make a preflight with an entity body? should fail, should not be allowed
* test redirect
* {{skip|test redirect}}
* {{done|test alternate ways of specifying the expiration time (white space, invalid values etc)}}
* test abort
* test abort
* test network error
* test network error
Line 75: Line 77:
* test failure to parse methods (value with a space for instance) when parsing the access-control-allow-methods values --> cache and network steps
* test failure to parse methods (value with a space for instance) when parsing the access-control-allow-methods values --> cache and network steps
* test failure to parse headers when parsing access-control-headers --> cache and network steps
* test failure to parse headers when parsing access-control-headers --> cache and network steps
* test that every REQ header does not match headers --> cache & network steps
* {{done|test that every REQ header does not match headers --> cache & network steps}}
* test that REQ header not in simple header whitelist --> cache & network steps
* {{done|test that REQ header not in simple header whitelist --> cache & network steps}}
* Ensure that preflight requests that succeed update cache entries (perhaps by ensuring the timeout is changed or what have you)
* Ensure that preflight requests that succeed update cache entries (perhaps by ensuring the timeout is changed or what have you)
* if actual request gets redirect --> cache and network steps
* if actual request gets redirect --> cache and network steps
Line 97: Line 99:
* ensure that for each method in methods of the preflight REQ an entry is made in the cache
* ensure that for each method in methods of the preflight REQ an entry is made in the cache
* ensure that for each method in methods of the preflight REQ where there is already an entry in the cache, update the expiry time
* ensure that for each method in methods of the preflight REQ where there is already an entry in the cache, update the expiry time
* ensure that for each header in header of the preflight REQ an entry is made in the cache
* {{done|ensure that for each header in header of the preflight REQ an entry is made in the cache}}
* ensure that for each header in header of the preflight REQ where there is already an entry in the cache, update the expiry time
* ensure that for each header in header of the preflight REQ where there is already an entry in the cache, update the expiry time


Ctalbert
Confirmed users
3,816

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/111960"