diff options
| author | Rado Kirov | 2012-09-28 15:43:01 -0700 |
|---|---|---|
| committer | Igor Minar | 2012-11-26 23:58:59 +0100 |
| commit | fce100a46c5681562253c3a856d67bbd35fbc2f2 (patch) | |
| tree | 1e85ce51888372d6184d401ef9033791d6a80c20 /test | |
| parent | 3a75b1124d062f64093a90b26630938558909e8d (diff) | |
| download | angular.js-fce100a46c5681562253c3a856d67bbd35fbc2f2.tar.bz2 | |
fix($http): only set X-XSFR-TOKEN header for same-domain request
This is needed to prevent CORS preflight checks. The XSFR token
is quite useless for CORS requests anyway.
BREAKING CHANGE: X-XSFR-TOKEN is no longer send for cross domain
requests. This shouldn't affect any known production service.
Closes #1096
Diffstat (limited to 'test')
| -rw-r--r-- | test/ng/httpSpec.js | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/test/ng/httpSpec.js b/test/ng/httpSpec.js index 5049a218..1473ab1c 100644 --- a/test/ng/httpSpec.js +++ b/test/ng/httpSpec.js @@ -430,6 +430,17 @@ describe('$http', function() { $httpBackend.flush(); }); + it('should not set XSRF cookie for cross-domain requests', inject(function($browser) { + $browser.cookies('XSRF-TOKEN', 'secret'); + $browser.url('http://host.com/base'); + $httpBackend.expect('GET', 'http://www.test.com/url', undefined, function(headers) { + return headers['X-XSRF-TOKEN'] === undefined; + }).respond(''); + + $http({url: 'http://www.test.com/url', method: 'GET', headers: {}}); + $httpBackend.flush(); + })); + it('should not send Content-Type header if request data/body is undefined', function() { $httpBackend.expect('POST', '/url', undefined, function(headers) { @@ -1005,4 +1016,25 @@ describe('$http', function() { $httpBackend.verifyNoOutstandingExpectation = noop; }); + + describe('isSameDomain', function() { + it('should support various combinations of urls', function() { + expect(isSameDomain('path/morepath', + 'http://www.adomain.com')).toBe(true); + expect(isSameDomain('http://www.adomain.com/path', + 'http://www.adomain.com')).toBe(true); + expect(isSameDomain('//www.adomain.com/path', + 'http://www.adomain.com')).toBe(true); + expect(isSameDomain('//www.adomain.com/path', + 'https://www.adomain.com')).toBe(true); + expect(isSameDomain('//www.adomain.com/path', + 'http://www.adomain.com:1234')).toBe(false); + expect(isSameDomain('https://www.adomain.com/path', + 'http://www.adomain.com')).toBe(false); + expect(isSameDomain('http://www.adomain.com:1234/path', + 'http://www.adomain.com')).toBe(false); + expect(isSameDomain('http://www.anotherdomain.com/path', + 'http://www.adomain.com')).toBe(false); + }); + }); }); |