From 6df7c6a8f2461d918d305c883985023d9d05b43d Mon Sep 17 00:00:00 2001 From: Manolo Carrasco Date: Mon, 27 Jan 2014 11:40:32 +0100 Subject: [PATCH] Dont set credentials by default for ajax requests. Fixes issue #261 --- .../gwt/query/client/plugins/ajax/Ajax.java | 2 + .../plugins/deferred/PromiseReqBuilder.java | 2 +- .../google/gwt/query/vm/AjaxTransportJre.java | 9 +++- .../gwt/query/client/ajax/AjaxTestJre.java | 1 + .../gwt/query/client/ajax/AjaxTests.java | 46 ++++++++++++++++++- .../gwt/query/servlet/GQAjaxTestServlet.java | 4 +- 6 files changed, 59 insertions(+), 5 deletions(-) diff --git a/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/ajax/Ajax.java b/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/ajax/Ajax.java index 8f0846c6..566ab14d 100644 --- a/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/ajax/Ajax.java +++ b/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/ajax/Ajax.java @@ -63,6 +63,7 @@ public class Ajax extends GQuery { String getType(); String getUrl(); String getUsername(); + boolean getWithCredentials(); Settings setContentType(String t); Settings setContext(Element e); Settings setData(Object p); @@ -76,6 +77,7 @@ public class Ajax extends GQuery { Settings setType(String t); Settings setUrl(String u); Settings setUsername(String u); + Settings setWithCredentials(boolean b); } public static final Class Ajax = registerPlugin(Ajax.class, new Plugin() { diff --git a/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/deferred/PromiseReqBuilder.java b/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/deferred/PromiseReqBuilder.java index 79d3fa8d..1d1bf013 100644 --- a/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/deferred/PromiseReqBuilder.java +++ b/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/deferred/PromiseReqBuilder.java @@ -120,7 +120,7 @@ public class PromiseReqBuilder extends DeferredPromiseImpl implements RequestCal // Using gQuery to set credentials since this method was added in 2.5.1 // xmlHttpRequest.setWithCredentials(true); - JsUtils.prop(xmlHttpRequest, "withCredentials", true); + JsUtils.prop(xmlHttpRequest, "withCredentials", settings.getWithCredentials()); final Request request = createRequestVltr(xmlHttpRequest, settings.getTimeout(), this); diff --git a/gwtquery-core/src/main/java/com/google/gwt/query/vm/AjaxTransportJre.java b/gwtquery-core/src/main/java/com/google/gwt/query/vm/AjaxTransportJre.java index 166fa3b4..9da7f420 100644 --- a/gwtquery-core/src/main/java/com/google/gwt/query/vm/AjaxTransportJre.java +++ b/gwtquery-core/src/main/java/com/google/gwt/query/vm/AjaxTransportJre.java @@ -168,8 +168,13 @@ public class AjaxTransportJre implements AjaxTransport { } int code = c.getResponseCode(); - if (isCORS && !localDomain.equals(c.getHeaderField("Access-Control-Allow-Origin"))) { - code = 0; + if (isCORS) { + if (!localDomain.equals(c.getHeaderField("Access-Control-Allow-Origin"))) { + code = 0; + } + if (s.getWithCredentials() && c.getHeaderField("Access-Control-Allow-Credentials") == null) { + code = 0; + } } BufferedReader in = new BufferedReader(new InputStreamReader(c.getInputStream())); diff --git a/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTestJre.java b/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTestJre.java index abe00e30..1167651d 100644 --- a/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTestJre.java +++ b/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTestJre.java @@ -49,6 +49,7 @@ public class AjaxTestJre extends AjaxTests { echoUrl = localDomain + "/" + servletPath; echoUrlCORS = corsDomain + "/" + servletPath + "?cors=true"; + startWebServer(port); } diff --git a/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTests.java b/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTests.java index f6a064c5..ee3005c9 100644 --- a/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTests.java +++ b/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTests.java @@ -15,6 +15,8 @@ */ package com.google.gwt.query.client.ajax; +import junit.framework.Assert; + import com.google.gwt.http.client.Response; import com.google.gwt.junit.DoNotRunWith; import com.google.gwt.junit.Platform; @@ -119,7 +121,49 @@ public abstract class AjaxTests extends GWTTestCase { .setData(jsonGET) .setDataType("json"); - performAjaxJsonTest_CORS(s); + performAjaxJsonTest_CORS(s) + .done(new Function() { + public void f() { + Response r = arguments(3); + Assert.assertNotNull(r.getHeader("Access-Control-Allow-Origin")); + Assert.assertNull(r.getHeader("Access-Control-Allow-Credentials")); + } + }); + } + + @DoNotRunWith(Platform.HtmlUnitBug) + public void testAjaxJsonGet_CORS_WithCredentials_Supported() { + Settings s = Ajax.createSettings() + .setType("get") + // Enable credentials in servlet + .setUrl(echoUrlCORS + "&credentials=true") + .setData(jsonGET) + .setDataType("json") + .setWithCredentials(true); + + performAjaxJsonTest_CORS(s) + .done(new Function() { + public void f() { + Response r = arguments(3); + Assert.assertNotNull(r.getHeader("Access-Control-Allow-Origin")); + Assert.assertNotNull(r.getHeader("Access-Control-Allow-Credentials")); + } + }); + } + + @DoNotRunWith(Platform.HtmlUnitBug) + public void testAjaxJsonGet_CORS_WithCredentials_Unsupported() { + Settings s = Ajax.createSettings() + .setType("get") + // Disable credentials in servlet + .setUrl(echoUrlCORS) + .setData(jsonGET) + .setDataType("json") + .setWithCredentials(true); + + Ajax.ajax(s) + .fail(finishFunction) + .done(failFunction); } public void testAjaxGetJsonP() { diff --git a/gwtquery-core/src/test/java/com/google/gwt/query/servlet/GQAjaxTestServlet.java b/gwtquery-core/src/test/java/com/google/gwt/query/servlet/GQAjaxTestServlet.java index 5152de4c..b00d2469 100644 --- a/gwtquery-core/src/test/java/com/google/gwt/query/servlet/GQAjaxTestServlet.java +++ b/gwtquery-core/src/test/java/com/google/gwt/query/servlet/GQAjaxTestServlet.java @@ -61,7 +61,9 @@ public class GQAjaxTestServlet extends HttpServlet { String origin = req.getHeader("Origin"); if ("true".equals(req.getParameter("cors")) && origin != null) { resp.addHeader("Access-Control-Allow-Origin", origin); - resp.addHeader("Access-Control-Allow-Credentials", "true"); + if ("true".equals(req.getParameter("credentials"))) { + resp.addHeader("Access-Control-Allow-Credentials", "true"); + } String method = req.getHeader("Access-Control-Request-Method"); if (method != null) { resp.addHeader("Access-Control-Allow-Methods", method); -- 2.39.5