Possible improvements to the CORS test suite

[odinho]

Matt Wobensmith, SQA Engineer at Mozilla did an awesomesauce review, that I have not fixed (originally from #112 ):

---

General:

• CORS can be used for other network requests besides XHR
  • img, script, css, fonts
• Cross-protocol - access a resource that is hosted via protocol that provides headers
  • FTP, HTTP, HTTPS to HTTP, HTTPS - various combinations

Access-Control-Allow-Origin response header

• Simple request: when using "*" it cannot be used for a resource that supports credentials
• Boundary/error values: long domain names, large amount of domain tokens, IP addresses, International Domain Names
• Default request method for cross-origin request is GET
• Default request headers empty by default.
• Default entity body empty by default
• Exclude Referer header if source origin is a globally unique identifier
• if header value is "*" and omit credentials flag is false, fail

Access-Control-Allow-Methods

• if request method is not case-sensitive match for methods and is not a simple method, error
• If method is a simple method, including method value here - while not required - should not fail

Origin Request header

• Verify that it is emitted from both x-domain request and preflight request

Access-Control-Allow-Credentials

• If omit-credentials flag is not set and response includes 0 or more than one Access-Control-Allow-Credentials headers, fail.
• If omit-credentials flag is not set and Access-Control-Allow-Credentials header value is not case-sensitive match for "true", fail.

Preflight:

• Includes Access-Control-Request-Method header that includes the request method, even when this is a simple method
• Includes Access-Control-Request-Headers with comma-seperated list of headers, in lexographical order, converted to ASCII lowercase even when one or more are a simple header
• excludes author request headers
• excludes user credentials
• excludes the request entity body
• if header parsing fails, error
• in case of unable to cache due to disk space - proceed to actual request

Preflight cache:

• Case-insensitive match for Origin invalidates preflight result cache
• Access-Control-Max-Age - validate correct caching time
• Access-Control-Max-Age - maximum cache time
• Access-Control-Max-Age - error arguments (too large, too small, non-numeric)
• Access-Control-Max-Age - if UA imposes high-end limit but response's max-age is higher, let maximum be equal to the response's max-age
• If Access-Control-Max-Age is missing, duplicated or parsing failed, let max-age be at the discretion of UA (zero is allowed)
• Cache match testing
  • Based on rules in spec, determine whether a resource is properly cached or not
  • Verify that an expired resource no longer in cache invokes new preflight request
  • If removed and then reinstated into cache, new values should be respected
  • Origin is removed from cache if error occurs
  • If list of exposed headers in a response is not empty, and Access-Control-Expose-Headers does not contain values, the preflight cache can be cleared for all case-sensitive matches to this Origin and URL.