Skip to content

Commit 2fe2cf7

Browse files
youennfjgraham
youennf
authored and
jgraham
committed
Bug 1464525 [wpt PR 11171] - Cross-Origin-Resource-Policy tests, a=testonly
Automatic update from web-platform-testsFetch: Cross-Origin-Resource-Policy tests For whatwg/fetch#733. WebKit export of https://bugs.webkit.org/show_bug.cgi?id=185840. -- wpt-commits: 53f7340307c1c0fa4ab96e79d88c69a7870030f4 wpt-pr: 11171
1 parent 98d913a commit 2fe2cf7

File tree

14 files changed

+479
-1
lines changed

14 files changed

+479
-1
lines changed

testing/web-platform/meta/MANIFEST.json

+114-1
Original file line numberDiff line numberDiff line change
@@ -274865,6 +274865,41 @@
274865274865
{}
274866274866
]
274867274867
],
274868+
"fetch/cross-origin-resource-policy/resources/green.png": [
274869+
[
274870+
{}
274871+
]
274872+
],
274873+
"fetch/cross-origin-resource-policy/resources/hello.py": [
274874+
[
274875+
{}
274876+
]
274877+
],
274878+
"fetch/cross-origin-resource-policy/resources/iframe.py": [
274879+
[
274880+
{}
274881+
]
274882+
],
274883+
"fetch/cross-origin-resource-policy/resources/iframeFetch.html": [
274884+
[
274885+
{}
274886+
]
274887+
],
274888+
"fetch/cross-origin-resource-policy/resources/image.py": [
274889+
[
274890+
{}
274891+
]
274892+
],
274893+
"fetch/cross-origin-resource-policy/resources/redirect.py": [
274894+
[
274895+
{}
274896+
]
274897+
],
274898+
"fetch/cross-origin-resource-policy/resources/script.py": [
274899+
[
274900+
{}
274901+
]
274902+
],
274868274903
"fetch/data-urls/README.md": [
274869274904
[
274870274905
{}
@@ -338884,6 +338919,36 @@
338884338919
{}
338885338920
]
338886338921
],
338922+
"fetch/cross-origin-resource-policy/fetch-in-iframe.html": [
338923+
[
338924+
"/fetch/cross-origin-resource-policy/fetch-in-iframe.html",
338925+
{}
338926+
]
338927+
],
338928+
"fetch/cross-origin-resource-policy/fetch.html": [
338929+
[
338930+
"/fetch/cross-origin-resource-policy/fetch.html",
338931+
{}
338932+
]
338933+
],
338934+
"fetch/cross-origin-resource-policy/iframe-loads.html": [
338935+
[
338936+
"/fetch/cross-origin-resource-policy/iframe-loads.html",
338937+
{}
338938+
]
338939+
],
338940+
"fetch/cross-origin-resource-policy/image-loads.html": [
338941+
[
338942+
"/fetch/cross-origin-resource-policy/image-loads.html",
338943+
{}
338944+
]
338945+
],
338946+
"fetch/cross-origin-resource-policy/script-loads.html": [
338947+
[
338948+
"/fetch/cross-origin-resource-policy/script-loads.html",
338949+
{}
338950+
]
338951+
],
338887338952
"fetch/data-urls/base64.any.js": [
338888338953
[
338889338954
"/fetch/data-urls/base64.any.html",
@@ -418318,7 +418383,7 @@
418318418383
"support"
418319418384
],
418320418385
"common/get-host-info.sub.js": [
418321-
"4175d0fff3555e25a646b0673a082fefdc113fe0",
418386+
"1eae4a7e29b73d60b9832ef5d8c808f6fd10db5c",
418322418387
"support"
418323418388
],
418324418389
"common/get-host-info.sub.js.headers": [
@@ -569125,6 +569190,54 @@
569125569190
"465d933f4e52ef4e5a4bd0de40873410195843cd",
569126569191
"testharness"
569127569192
],
569193+
"fetch/cross-origin-resource-policy/fetch-in-iframe.html": [
569194+
"4d836bed1e90a2d14b1651c0f3229b3f3d0b6b91",
569195+
"testharness"
569196+
],
569197+
"fetch/cross-origin-resource-policy/fetch.html": [
569198+
"6a881615d9df0750b640298725be56e60cd5804c",
569199+
"testharness"
569200+
],
569201+
"fetch/cross-origin-resource-policy/iframe-loads.html": [
569202+
"8429fdb1695fc73c853dc37bf29544b8139d5396",
569203+
"testharness"
569204+
],
569205+
"fetch/cross-origin-resource-policy/image-loads.html": [
569206+
"6e81ede4b474b2516ec735d4d8f99694b4124773",
569207+
"testharness"
569208+
],
569209+
"fetch/cross-origin-resource-policy/resources/green.png": [
569210+
"ef91d21307a12b2cfaf33a90dffe16aa1cba42c9",
569211+
"support"
569212+
],
569213+
"fetch/cross-origin-resource-policy/resources/hello.py": [
569214+
"0d8e30350c97fd6a040b14348929cf7e87e0e406",
569215+
"support"
569216+
],
569217+
"fetch/cross-origin-resource-policy/resources/iframe.py": [
569218+
"d8f4af86d37d2f257b4166a1f7d3001d55eeda69",
569219+
"support"
569220+
],
569221+
"fetch/cross-origin-resource-policy/resources/iframeFetch.html": [
569222+
"d66a9c958288a97469e8cfa75eba973e9f35e190",
569223+
"support"
569224+
],
569225+
"fetch/cross-origin-resource-policy/resources/image.py": [
569226+
"72f4bbf045fbb61623246d44b763bd06024c0f63",
569227+
"support"
569228+
],
569229+
"fetch/cross-origin-resource-policy/resources/redirect.py": [
569230+
"eb237d6f61e042db8454efad97a7ca58ea90eba9",
569231+
"support"
569232+
],
569233+
"fetch/cross-origin-resource-policy/resources/script.py": [
569234+
"330a0ae1420b41e63bd639fa24f75e64e4528bcc",
569235+
"support"
569236+
],
569237+
"fetch/cross-origin-resource-policy/script-loads.html": [
569238+
"cd28267293f2d20ee78d6b946fe6b8793edf1bae",
569239+
"testharness"
569240+
],
569128569241
"fetch/data-urls/README.md": [
569129569242
"868cb170fa0c5626008fef77e37dee16e76b10d5",
569130569243
"support"

testing/web-platform/tests/common/get-host-info.sub.js

+2
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ function get_host_info() {
66
var ORIGINAL_HOST = '{{host}}';
77
var REMOTE_HOST = (ORIGINAL_HOST === 'localhost') ? '127.0.0.1' : ('www1.' + ORIGINAL_HOST);
88
var OTHER_HOST = '{{domains[www2]}}';
9+
var NOTSAMESITE_HOST = (ORIGINAL_HOST === 'localhost') ? '127.0.0.1' : ('not-' + ORIGINAL_HOST);
910

1011
return {
1112
HTTP_PORT: HTTP_PORT,
@@ -19,6 +20,7 @@ function get_host_info() {
1920
HTTPS_ORIGIN_WITH_CREDS: 'https://foo:bar@' + ORIGINAL_HOST + ':' + HTTPS_PORT,
2021
HTTP_ORIGIN_WITH_DIFFERENT_PORT: 'http://' + ORIGINAL_HOST + ':' + HTTP_PORT2,
2122
HTTP_REMOTE_ORIGIN: 'http://' + REMOTE_HOST + ':' + HTTP_PORT,
23+
HTTP_NOTSAMESITE_ORIGIN: 'http://' + NOTSAMESITE_HOST + ':' + HTTP_PORT,
2224
HTTP_REMOTE_ORIGIN_WITH_DIFFERENT_PORT: 'http://' + REMOTE_HOST + ':' + HTTP_PORT2,
2325
HTTPS_REMOTE_ORIGIN: 'https://' + REMOTE_HOST + ':' + HTTPS_PORT,
2426
HTTPS_REMOTE_ORIGIN_WITH_CREDS: 'https://foo:bar@' + REMOTE_HOST + ':' + HTTPS_PORT,

testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch-in-iframe.html

+67
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
<!DOCTYPE html>
2+
<html>
3+
<head>
4+
<script src="/resources/testharness.js"></script>
5+
<script src="/resources/testharnessreport.js"></script>
6+
<script src="/common/get-host-info.sub.js"></script>
7+
</head>
8+
<body>
9+
<script>
10+
const host = get_host_info();
11+
const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
12+
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
13+
const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
14+
15+
function with_iframe(url)
16+
{
17+
return new Promise(function(resolve) {
18+
var frame = document.createElement('iframe');
19+
frame.src = url;
20+
frame.onload = function() { resolve(frame); };
21+
document.body.appendChild(frame);
22+
});
23+
}
24+
25+
function loadIFrameAndFetch(iframeURL, fetchURL, expectedFetchResult, title)
26+
{
27+
promise_test(async () => {
28+
const frame = await with_iframe(iframeURL);
29+
let receiveMessage;
30+
const promise = new Promise((resolve, reject) => {
31+
receiveMessage = (event) => {
32+
if (event.data !== expectedFetchResult) {
33+
reject("Received unexpected message " + event.data);
34+
return;
35+
}
36+
resolve();
37+
}
38+
window.addEventListener("message", receiveMessage, false);
39+
});
40+
frame.contentWindow.postMessage(fetchURL, "*");
41+
return promise.finally(() => {
42+
frame.remove();
43+
window.removeEventListener("message", receiveMessage, false);
44+
});
45+
}, title);
46+
}
47+
48+
// This above data URL should be equivalent to resources/iframeFetch.html
49+
var dataIFrameURL = "data:text/html;base64,PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxzY3JpcHQ+CiAgICAgICAgZnVuY3Rpb24gcHJvY2Vzc01lc3NhZ2UoZXZlbnQpCiAgICAgICAgewogICAgICAgICAgICBmZXRjaChldmVudC5kYXRhLCB7IG1vZGU6ICJuby1jb3JzIiB9KS50aGVuKCgpID0+IHsKICAgICAgICAgICAgICAgIHBhcmVudC5wb3N0TWVzc2FnZSgib2siLCAiKiIpOwogICAgICAgICAgICB9LCAoKSA9PiB7CiAgICAgICAgICAgICAgICBwYXJlbnQucG9zdE1lc3NhZ2UoImtvIiwgIioiKTsKICAgICAgICAgICAgfSk7CiAgICAgICAgfQogICAgICAgIHdpbmRvdy5hZGRFdmVudExpc3RlbmVyKCJtZXNzYWdlIiwgcHJvY2Vzc01lc3NhZ2UsIGZhbHNlKTsKICAgIDwvc2NyaXB0Pgo8L2hlYWQ+Cjxib2R5PgogICAgPGgzPlRoZSBpZnJhbWUgbWFraW5nIGEgc2FtZSBvcmlnaW4gZmV0Y2ggY2FsbC48L2gzPgo8L2JvZHk+CjwvaHRtbD4K";
50+
51+
loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same-origin", "ko",
52+
"Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
53+
54+
loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same-site", "ko",
55+
"Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header.");
56+
57+
loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", localBaseURL + "resources/hello.py?corp=same-origin", "ko",
58+
"Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
59+
60+
loadIFrameAndFetch(notSameSiteBaseURL + "resources/iframeFetch.html", localBaseURL + "resources/hello.py?corp=same-site", "ko",
61+
"Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header.");
62+
63+
loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", remoteBaseURL + "resources/hello.py?corp=same-origin", "ok",
64+
"Same-origin fetch in a cross origin iframe load succeeds if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
65+
</script>
66+
</body>
67+
</html>

testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch.html

+83
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
<!DOCTYPE html>
2+
<html>
3+
<head>
4+
<script src="/resources/testharness.js"></script>
5+
<script src="/resources/testharnessreport.js"></script>
6+
<script src="/common/get-host-info.sub.js"></script>
7+
</head>
8+
<body>
9+
<script>
10+
const host = get_host_info();
11+
const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
12+
const sameSiteBaseURL = "http://" + host.ORIGINAL_HOST + ":" + host.HTTP_PORT2 + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
13+
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
14+
const httpsBaseURL = host.HTTPS_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
15+
16+
promise_test(async () => {
17+
const response = await fetch("./resources/hello.py?corp=same-origin");
18+
assert_equals(await response.text(), "hello");
19+
}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
20+
21+
promise_test(async () => {
22+
const response = await fetch("./resources/hello.py?corp=same-site");
23+
assert_equals(await response.text(), "hello");
24+
}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
25+
26+
promise_test(async (test) => {
27+
const response = await fetch(notSameSiteBaseURL + "resources/hello.py?corp=same-origin");
28+
assert_equals(await response.text(), "hello");
29+
}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
30+
31+
promise_test(async (test) => {
32+
const response = await fetch(notSameSiteBaseURL + "resources/hello.py?corp=same-site");
33+
assert_equals(await response.text(), "hello");
34+
}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
35+
36+
promise_test((test) => {
37+
const remoteURL = notSameSiteBaseURL + "resources/hello.py?corp=same-origin";
38+
return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" }));
39+
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
40+
41+
promise_test((test) => {
42+
const remoteURL = notSameSiteBaseURL + "resources/hello.py?corp=same-site";
43+
return promise_rejects(test, new TypeError, fetch(remoteURL, { mode: "no-cors" }));
44+
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
45+
46+
promise_test((test) => {
47+
const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-site";
48+
return fetch(remoteURL, { mode: "no-cors" });
49+
}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header.");
50+
51+
promise_test((test) => {
52+
const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-origin";
53+
return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" }));
54+
}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
55+
56+
promise_test(async (test) => {
57+
const remoteSameSiteURL = sameSiteBaseURL + "resources/hello.py?corp=same-site";
58+
59+
await fetch(remoteSameSiteURL, { mode: "no-cors" });
60+
61+
return promise_rejects(test, new TypeError, fetch(sameSiteBaseURL + "resources/hello.py?corp=same-origin", { mode: "no-cors" }));
62+
}, "Valid cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
63+
64+
promise_test((test) => {
65+
const finalURL = notSameSiteBaseURL + "resources/hello.py?corp=same-origin";
66+
return promise_rejects(test, new TypeError, fetch("resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" }));
67+
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header after a redirection.");
68+
69+
promise_test((test) => {
70+
const finalURL = localBaseURL + "resources/hello.py?corp=same-origin";
71+
return fetch(notSameSiteBaseURL + "resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" });
72+
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header after a cross-origin redirection.");
73+
74+
promise_test(async (test) => {
75+
const finalURL = localBaseURL + "resources/hello.py?corp=same-origin";
76+
77+
await fetch(finalURL, { mode: "no-cors" });
78+
79+
return promise_rejects(test, new TypeError, fetch(notSameSiteBaseURL + "resources/redirect.py?corp=same-origin&redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" }));
80+
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' redirect response header.");
81+
</script>
82+
</body>
83+
</html>

testing/web-platform/tests/fetch/cross-origin-resource-policy/iframe-loads.html

+46
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
<!DOCTYPE html>
2+
<html>
3+
<head>
4+
<script src="/resources/testharness.js"></script>
5+
<script src="/resources/testharnessreport.js"></script>
6+
<script src="/common/get-host-info.sub.js"></script>
7+
</head>
8+
<body>
9+
<script>
10+
const host = get_host_info();
11+
const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
12+
const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
13+
14+
function with_iframe(url) {
15+
return new Promise(function(resolve) {
16+
var frame = document.createElement('iframe');
17+
frame.src = url;
18+
frame.onload = function() { resolve(frame); };
19+
document.body.appendChild(frame);
20+
});
21+
}
22+
23+
promise_test(async() => {
24+
const url = remoteBaseURL + "resources/iframe.py?corp=same-origin";
25+
26+
await new Promise((resolve, reject) => {
27+
return fetch(url, { mode: "no-cors" }).then(reject, resolve);
28+
});
29+
30+
const iframe = await with_iframe(url);
31+
return new Promise((resolve, reject) => {
32+
window.addEventListener("message", (event) => {
33+
if (event.data !== "pong") {
34+
reject(event.data);
35+
return;
36+
}
37+
resolve();
38+
}, false);
39+
iframe.contentWindow.postMessage("ping", "*");
40+
}).finally(() => {
41+
iframe.remove();
42+
});
43+
}, "Load an iframe that has Cross-Origin-Resource-Policy header");
44+
</script>
45+
</body>
46+
</html>

0 commit comments

Comments
 (0)