| <body> |
| <p>This test passes if the inserted script fails to load due to CORS.</p> |
| <pre></pre> |
| <script> |
| var result = 'PASS'; |
| </script> |
| <!-- Non-CORS enabled script load, supplying credentials. |
| Will execute as per-normal. --> |
| <script src="http://localhost:8000/security/resources/cors-script.php?cors=false&credentials=true&value=FAIL"></script> |
| <script> |
| if (window.testRunner) { |
| testRunner.dumpAsText(); |
| testRunner.waitUntilDone(); |
| } |
| |
| // Reset the 'result' set by above external script. |
| result = 'PASS'; |
| |
| function finish() { |
| document.querySelector("pre").innerHTML = result; |
| if (window.testRunner) |
| testRunner.notifyDone(); |
| } |
| |
| // Create new script of same cross-origin script as above, |
| // but this time loaded following CORS. |
| // |
| // The response is missing a Access-Control-Access-Origin: header, |
| // hence the CORS check must fail & error reported. |
| var script = document.createElement("script"); |
| script.crossOrigin = "use-credentials"; |
| script.src = "http://localhost:8000/security/resources/cors-script.php?cors=false&credentials=true&value=FAIL"; |
| |
| script.onload = function() { |
| result += " (loaded)"; |
| finish(); |
| } |
| |
| script.onerror = function() { |
| result = "PASS (expected error reported)"; |
| finish(); |
| } |
| document.body.appendChild(script); |
| </script> |