Dont set credentials by default for ajax requests. Fixes issue #261

6 files changed, 59 insertions, 5 deletions

diff --git a/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/ajax/Ajax.java b/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/ajax/Ajax.java
index 8f0846c6..566ab14d 100644
--- a/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/ajax/Ajax.java
+++ b/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/ajax/Ajax.java
@@ -63,6 +63,7 @@ public class Ajax extends GQuery {
     String getType();
     String getUrl();
     String getUsername();
+    boolean getWithCredentials();
     Settings setContentType(String t);
     Settings setContext(Element e);
     Settings setData(Object p);
@@ -76,6 +77,7 @@ public class Ajax extends GQuery {
     Settings setType(String t);
     Settings setUrl(String u);
     Settings setUsername(String u);
+    Settings setWithCredentials(boolean b);
   }
 
   public static final Class<Ajax> Ajax = registerPlugin(Ajax.class, new Plugin<Ajax>() {
diff --git a/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/deferred/PromiseReqBuilder.java b/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/deferred/PromiseReqBuilder.java
index 79d3fa8d..1d1bf013 100644
--- a/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/deferred/PromiseReqBuilder.java
+++ b/gwtquery-core/src/main/java/com/google/gwt/query/client/plugins/deferred/PromiseReqBuilder.java
@@ -120,7 +120,7 @@ public class PromiseReqBuilder extends DeferredPromiseImpl implements RequestCal
 
     // Using gQuery to set credentials since this method was added in 2.5.1
     // xmlHttpRequest.setWithCredentials(true);
-    JsUtils.prop(xmlHttpRequest, "withCredentials", true);
+    JsUtils.prop(xmlHttpRequest, "withCredentials", settings.getWithCredentials());
     
     final Request request = createRequestVltr(xmlHttpRequest, settings.getTimeout(), this);
     
diff --git a/gwtquery-core/src/main/java/com/google/gwt/query/vm/AjaxTransportJre.java b/gwtquery-core/src/main/java/com/google/gwt/query/vm/AjaxTransportJre.java
index 166fa3b4..9da7f420 100644
--- a/gwtquery-core/src/main/java/com/google/gwt/query/vm/AjaxTransportJre.java
+++ b/gwtquery-core/src/main/java/com/google/gwt/query/vm/AjaxTransportJre.java
@@ -168,8 +168,13 @@ public class AjaxTransportJre implements AjaxTransport {
     }
     
     int code = c.getResponseCode();
-    if (isCORS && !localDomain.equals(c.getHeaderField("Access-Control-Allow-Origin"))) {
-      code = 0;
+    if (isCORS) {
+      if (!localDomain.equals(c.getHeaderField("Access-Control-Allow-Origin"))) {
+        code = 0;
+      }
+      if (s.getWithCredentials() && c.getHeaderField("Access-Control-Allow-Credentials") == null) {
+        code = 0;
+      }
     }
     
     BufferedReader in = new BufferedReader(new InputStreamReader(c.getInputStream()));
diff --git a/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTestJre.java b/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTestJre.java
index abe00e30..1167651d 100644
--- a/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTestJre.java
+++ b/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTestJre.java
@@ -49,6 +49,7 @@ public class AjaxTestJre extends AjaxTests {
     
     echoUrl = localDomain + "/" + servletPath;
     echoUrlCORS = corsDomain + "/" + servletPath + "?cors=true";
+
     startWebServer(port);
   }
   
diff --git a/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTests.java b/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTests.java
index f6a064c5..ee3005c9 100644
--- a/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTests.java
+++ b/gwtquery-core/src/test/java/com/google/gwt/query/client/ajax/AjaxTests.java
@@ -15,6 +15,8 @@
  */
 package com.google.gwt.query.client.ajax;
 
+import junit.framework.Assert;
+
 import com.google.gwt.http.client.Response;
 import com.google.gwt.junit.DoNotRunWith;
 import com.google.gwt.junit.Platform;
@@ -119,7 +121,49 @@ public abstract class AjaxTests extends GWTTestCase {
       .setData(jsonGET)
       .setDataType("json");
 
-    performAjaxJsonTest_CORS(s);
+    performAjaxJsonTest_CORS(s)
+      .done(new Function() {
+          public void f() {
+            Response r = arguments(3);
+            Assert.assertNotNull(r.getHeader("Access-Control-Allow-Origin"));
+            Assert.assertNull(r.getHeader("Access-Control-Allow-Credentials"));
+          }
+        });
+  }
+  
+  @DoNotRunWith(Platform.HtmlUnitBug)
+  public void testAjaxJsonGet_CORS_WithCredentials_Supported() {
+    Settings s = Ajax.createSettings()
+      .setType("get")
+      // Enable credentials in servlet 
+      .setUrl(echoUrlCORS + "&credentials=true")
+      .setData(jsonGET)
+      .setDataType("json")
+      .setWithCredentials(true);
+
+    performAjaxJsonTest_CORS(s)
+      .done(new Function() {
+        public void f() {
+          Response r = arguments(3);
+          Assert.assertNotNull(r.getHeader("Access-Control-Allow-Origin"));
+          Assert.assertNotNull(r.getHeader("Access-Control-Allow-Credentials"));
+        }
+      });
+  }
+  
+  @DoNotRunWith(Platform.HtmlUnitBug)
+  public void testAjaxJsonGet_CORS_WithCredentials_Unsupported() {
+    Settings s = Ajax.createSettings()
+      .setType("get")
+      // Disable credentials in servlet 
+      .setUrl(echoUrlCORS)
+      .setData(jsonGET)
+      .setDataType("json")
+      .setWithCredentials(true);
+    
+    Ajax.ajax(s)
+      .fail(finishFunction)
+      .done(failFunction);
   }
   
   public void testAjaxGetJsonP() {
diff --git a/gwtquery-core/src/test/java/com/google/gwt/query/servlet/GQAjaxTestServlet.java b/gwtquery-core/src/test/java/com/google/gwt/query/servlet/GQAjaxTestServlet.java
index 5152de4c..b00d2469 100644
--- a/gwtquery-core/src/test/java/com/google/gwt/query/servlet/GQAjaxTestServlet.java
+++ b/gwtquery-core/src/test/java/com/google/gwt/query/servlet/GQAjaxTestServlet.java
@@ -61,7 +61,9 @@ public class GQAjaxTestServlet extends HttpServlet {
     String origin = req.getHeader("Origin");
     if ("true".equals(req.getParameter("cors")) && origin != null) {
       resp.addHeader("Access-Control-Allow-Origin", origin);
-      resp.addHeader("Access-Control-Allow-Credentials", "true");
+      if ("true".equals(req.getParameter("credentials"))) {
+        resp.addHeader("Access-Control-Allow-Credentials", "true");
+      }
       String method = req.getHeader("Access-Control-Request-Method");
       if (method != null) {
         resp.addHeader("Access-Control-Allow-Methods", method);