From 7f0a106f3d5e9d3e7f70ba52aae896a3fffc2cc6 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Fri, 8 Jun 2018 12:48:10 +0200 Subject: [PATCH] Fetch: test Cross-Origin-Resource-Policy: same-site's scheme restriction Supplements #11171. For https://github.com/whatwg/fetch/pull/733. --- .../cross-origin-resource-policy/resources/image.py | 1 - .../scheme-restriction.any.js | 7 +++++++ .../scheme-restriction.https.window.js | 13 +++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 fetch/cross-origin-resource-policy/scheme-restriction.any.js create mode 100644 fetch/cross-origin-resource-policy/scheme-restriction.https.window.js diff --git a/fetch/cross-origin-resource-policy/resources/image.py b/fetch/cross-origin-resource-policy/resources/image.py index ba6198135a2aad..ad9295cf682874 100644 --- a/fetch/cross-origin-resource-policy/resources/image.py +++ b/fetch/cross-origin-resource-policy/resources/image.py @@ -18,4 +18,3 @@ def main(request, response): response.writer.end_headers() response.writer.write(body) - diff --git a/fetch/cross-origin-resource-policy/scheme-restriction.any.js b/fetch/cross-origin-resource-policy/scheme-restriction.any.js new file mode 100644 index 00000000000000..192572e28421b3 --- /dev/null +++ b/fetch/cross-origin-resource-policy/scheme-restriction.any.js @@ -0,0 +1,7 @@ +// META: script=/common/get-host-info.sub.js + +promise_test(t => { + return promise_rejects(t, + new TypeError(), + fetch(get_host_info().HTTPS_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site", { mode: "no-cors" })); +}, "Cross-Origin-Resource-Policy: same-site blocks retrieving HTTPS from HTTP"); diff --git a/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js b/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js new file mode 100644 index 00000000000000..4c7457187419e0 --- /dev/null +++ b/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js @@ -0,0 +1,13 @@ +// META: script=/common/get-host-info.sub.js + +promise_test(t => { + const img = new Image(); + img.src = get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/image.py?corp=same-site"; + return new Promise((resolve, reject) => { + img.onload = resolve; + img.onerror = reject; + document.body.appendChild(img); + }).finally(() => { + img.remove(); + }); +}, "Cross-Origin-Resource-Policy does not block Mixed Content ");