Skip to content

Commit

Permalink
Bug 1541670 [wpt PR 16148] - Send Sec-Fetch-User only for user-acti…
Browse files Browse the repository at this point in the history 
…vated, navigational requests., a=testonly

Automatic update from web-platform-tests
Send `Sec-Fetch-User` only for user-activated, navigational requests.

As per the conversation in w3c/webappsec-fetch-metadata#23 and
w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header
for non-navigational requests, and for navigational requests that are
not user-activated.

Bug: 947444
Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871
Reviewed-by: Alex Moshchuk <alexmoschromium.org>
Commit-Queue: Mike West <mkwstchromium.org>
Cr-Commit-Position: refs/heads/master{#646086}

--

wpt-commits: b93752a06f9498f774aed288663259cd738f1a7c
wpt-pr: 16148

UltraBlame original commit: 595f9f3aa36e9e4e5c8f120d7349c2965613814d
  • Loading branch information
@marco-c
marco-c committed Oct 4, 2019
1 parent b9f7f80 commit 44dea8d
Show file tree
Hide file tree
Showing 21 changed files with 143 additions and 115 deletions.
6 changes: 3 additions & 3 deletions testing/web-platform/tests/fetch/sec-metadata/embed.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
let e = document.createElement('embed');
e.src = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
e.onload = e => {
let expected = {"dest":"embed", "site":"same-origin", "user":"?F", "mode":"no-cors"};
let expected = {"dest":"embed", "site":"same-origin", "user":"", "mode":"no-cors"};
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
.then(text => assert_header_equals(text, expected))
Expand All @@ -35,7 +35,7 @@
let e = document.createElement('embed');
e.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
e.onload = e => {
let expected = {"dest":"embed", "site":"same-site", "user":"?F", "mode":"no-cors"};
let expected = {"dest":"embed", "site":"same-site", "user":"", "mode":"no-cors"};
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
.then(text => assert_header_equals(text, expected))
Expand All @@ -54,7 +54,7 @@
let e = document.createElement('embed');
e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
e.onload = e => {
let expected = {"dest":"embed", "site":"cross-site", "user":"?F", "mode":"no-cors"};
let expected = {"dest":"embed", "site":"cross-site", "user":"", "mode":"no-cors"};
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
.then(text => assert_header_equals(text, expected))
Expand Down
12 changes: 6 additions & 6 deletions testing/web-platform/tests/fetch/sec-metadata/fetch.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
assert_header_equals(j, {
"dest": "empty",
"site": "same-origin",
"user": "?F",
"user": "",
"mode": "cors",
});
});
Expand All @@ -24,7 +24,7 @@
assert_header_equals(j, {
"dest": "empty",
"site": "same-site",
"user": "?F",
"user": "",
"mode": "cors",
});
});
Expand All @@ -37,7 +37,7 @@
assert_header_equals(j, {
"dest": "empty",
"site": "cross-site",
"user": "?F",
"user": "",
"mode": "cors",
});
});
Expand All @@ -51,7 +51,7 @@
assert_header_equals(j, {
"dest": "empty",
"site": "same-origin",
"user": "?F",
"user": "",
"mode": "same-origin",
});
});
Expand All @@ -64,7 +64,7 @@
assert_header_equals(j, {
"dest": "empty",
"site": "same-origin",
"user": "?F",
"user": "",
"mode": "cors",
});
});
Expand All @@ -77,7 +77,7 @@
assert_header_equals(j, {
"dest": "empty",
"site": "same-origin",
"user": "?F",
"user": "",
"mode": "no-cors",
});
});
Expand Down
6 changes: 3 additions & 3 deletions testing/web-platform/tests/fetch/sec-metadata/font.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
promise_test(t => {
return new Promise((resolve, reject) => {
let key = "font-same-origin";
let expected = {"dest":"font", "site":"same-origin", "user":"?F", "mode": "cors"};
let expected = {"dest":"font", "site":"same-origin", "user":"", "mode": "cors"};
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
.then(text => assert_header_equals(text, expected))
Expand All @@ -58,7 +58,7 @@
promise_test(t => {
return new Promise((resolve, reject) => {
let key = "font-same-site";
let expected = {"dest":"font", "site":"same-site", "user":"?F", "mode": "cors"};
let expected = {"dest":"font", "site":"same-site", "user":"", "mode": "cors"};
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
.then(text => assert_header_equals(text, expected))
Expand All @@ -70,7 +70,7 @@
promise_test(t => {
return new Promise((resolve, reject) => {
let key = "font-cross-site";
let expected = {"dest":"font", "site":"cross-site", "user":"?F", "mode": "cors"};
let expected = {"dest":"font", "site":"cross-site", "user":"", "mode": "cors"};
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
.then(text => assert_header_equals(text, expected))
Expand Down
134 changes: 78 additions & 56 deletions testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
@@ -1,63 +1,85 @@
<!DOCTYPE html>
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=/resources/testdriver.js></script>
<script src=/resources/testdriver-vendor.js></script>
<script src=/fetch/sec-metadata/resources/helper.js></script>
<script src=/common/utils.js></script>
<body>
<script>
async_test(t => {
let i = document.createElement('iframe');
i.src = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
window.addEventListener('message', t.step_func(e => {
if (e.source != i.contentWindow)
return;

assert_header_equals(e.data, {
"dest": "nested-document",
"site": "same-origin",
"user": "?F",
"mode": "nested-navigate"
});
t.done();
}));

document.body.appendChild(i);
}, "Same-origin iframe");

async_test(t => {
let i = document.createElement('iframe');
i.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
window.addEventListener('message', t.step_func(e => {
if (e.source != i.contentWindow)
return;

assert_header_equals(e.data, {
"dest": "nested-document",
"site": "same-site",
"user": "?F",
"mode": "nested-navigate"
});
t.done();
}));

document.body.appendChild(i);
}, "Same-site iframe");

async_test(t => {
let i = document.createElement('iframe');
i.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
window.addEventListener('message', t.step_func(e => {
if (e.source != i.contentWindow)
return;

assert_header_equals(e.data, {
"dest": "nested-document",
"site": "cross-site",
"user": "?F",
"mode": "nested-navigate"
});
t.done();
}));

document.body.appendChild(i);
}, "Cross-site iframe");
const USER = true;
const FORCED = false;

function create_test(host, user_activated, expectations) {
async_test(t => {
let i = document.createElement('iframe');
window.addEventListener('message', t.step_func(e => {
if (e.source != i.contentWindow)
return;

assert_header_equals(e.data, expectations);
t.done();
}));

let url = `https://${host}/fetch/sec-metadata/resources/post-to-owner.py`;
if (user_activated == FORCED) {
i.src = url;
document.body.appendChild(i);
} else if (user_activated == USER) {
let uuid = token();
i.name = uuid;
let a = document.createElement('a');
a.href = url;
a.target = uuid;
a.text = "This is a link!";

document.body.appendChild(i);
document.body.appendChild(a);

test_driver.click(a);
}
}, `{{host}} -> ${host} iframe: ${user_activated ? "user-activated" : "forced"}`);
}

create_test("{{host}}:{{ports[https][0]}}", FORCED, {
"dest": "nested-document",
"site": "same-origin",
"user": "",
"mode": "nested-navigate"
});

create_test("{{hosts[][www]}}:{{ports[https][0]}}", FORCED, {
"dest": "nested-document",
"site": "same-site",
"user": "",
"mode": "nested-navigate"
});

create_test("{{hosts[alt][www]}}:{{ports[https][0]}}", FORCED, {
"dest": "nested-document",
"site": "cross-site",
"user": "",
"mode": "nested-navigate"
});

create_test("{{host}}:{{ports[https][0]}}", USER, {
"dest": "nested-document",
"site": "same-origin",
"user": "?T",
"mode": "nested-navigate"
});

create_test("{{hosts[][www]}}:{{ports[https][0]}}", USER, {
"dest": "nested-document",
"site": "same-site",
"user": "?T",
"mode": "nested-navigate"
});

create_test("{{hosts[alt][www]}}:{{ports[https][0]}}", USER, {
"dest": "nested-document",
"site": "cross-site",
"user": "?T",
"mode": "nested-navigate"
});
</script>
12 changes: 9 additions & 3 deletions testing/web-platform/tests/fetch/sec-metadata/img.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
assert_header_equals(got, {
"dest": "image",
"site": "same-origin",
"user": "?F",
// Note that we're using `undefined` here, as opposed to "" elsewhere because of the way
// that `image.py` encodes data.
"user": undefined,
"mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin`
});
}),
Expand All @@ -45,7 +47,9 @@
assert_header_equals(got, {
"dest": "image",
"site": "same-site",
"user": "?F",
// Note that we're using `undefined` here, as opposed to "" elsewhere because of the way
// that `image.py` encodes data.
"user": undefined,
"mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin`
});
}),
Expand All @@ -67,7 +71,9 @@
assert_header_equals(got, {
"dest": "image",
"site": "cross-site",
"user": "?F",
// Note that we're using `undefined` here, as opposed to "" elsewhere because of the way
// that `image.py` encodes data.
"user": undefined,
"mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin`
});
}),
Expand Down
6 changes: 3 additions & 3 deletions testing/web-platform/tests/fetch/sec-metadata/object.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
let e = document.createElement('object');
e.data = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
e.onload = e => {
let expected = {"dest":"object", "site":"same-origin", "user":"?F", "mode":"no-cors"};
let expected = {"dest":"object", "site":"same-origin", "user":"", "mode":"no-cors"};
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
.then(text => assert_header_equals(text, expected))
Expand All @@ -35,7 +35,7 @@
let e = document.createElement('object');
e.data = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
e.onload = e => {
let expected = {"dest":"object", "site":"same-site", "user":"?F", "mode":"no-cors"};
let expected = {"dest":"object", "site":"same-site", "user":"", "mode":"no-cors"};
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
.then(text => assert_header_equals(text, expected))
Expand All @@ -54,7 +54,7 @@
let e = document.createElement('object');
e.data = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
e.onload = e => {
let expected = {"dest":"object", "site":"cross-site", "user":"?F", "mode":"no-cors"};
let expected = {"dest":"object", "site":"cross-site", "user":"", "mode":"no-cors"};
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
.then(text => assert_header_equals(text, expected))
Expand Down
6 changes: 3 additions & 3 deletions ...b-platform/tests/fetch/sec-metadata/redirect/cross-site-redirect.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@

let e = document.createElement('img');
e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};
e.onload = e => {
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
Expand All @@ -41,7 +41,7 @@

let e = document.createElement('img');
e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};
e.onload = e => {
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
Expand All @@ -67,7 +67,7 @@

let e = document.createElement('img');
e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};
e.onload = e => {
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
.then(response => response.text())
Expand Down
2 changes: 1 addition & 1 deletion ...m/tests/fetch/sec-metadata/redirect/multiple-redirect-cross-site.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
e.src = "https://{{host}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// same-origin
"https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// cross-site
"https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;// same-origin
let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};

e.onload = e => {
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
Expand Down
2 changes: 1 addition & 1 deletion ...rm/tests/fetch/sec-metadata/redirect/multiple-redirect-same-site.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
e.src = "https://{{host}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// same-origin
"https://{{hosts[][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// same-site
"https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;// same-origin
let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
let expected = {"dest":"image", "site":"same-site", "user":"", "mode": "no-cors"};

e.onload = e => {
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
Expand Down
6 changes: 3 additions & 3 deletions ...-platform/tests/fetch/sec-metadata/redirect/same-origin-redirect.tentative.https.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@

let e = document.createElement('img');
e.src = "/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
let expected = {"dest":"image", "site":"same-origin", "user":"?F", "mode": "no-cors"};
let expected = {"dest":"image", "site":"same-origin", "user":"", "mode": "no-cors"};

e.onload = e => {
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
Expand All @@ -42,7 +42,7 @@

let e = document.createElement('img');
e.src = "/xhr/resources/redirect.py?location=https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
let expected = {"dest":"image", "site":"same-site", "user":"", "mode": "no-cors"};

e.onload = e => {
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
Expand All @@ -69,7 +69,7 @@

let e = document.createElement('img');
e.src = "/xhr/resources/redirect.py?location=https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};

e.onload = e => {
fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
Expand Down
Loading

0 comments on commit 44dea8d

Please sign in to comment.