Skip to content

Commit

Permalink
Fetch: test Cross-Origin-Resource-Policy: same-site's scheme restriction
Browse files Browse the repository at this point in the history
Supplements #11171.

For whatwg/fetch#733.
  • Loading branch information
annevk committed Jun 18, 2018
1 parent 04a0711 commit cd37c77
Show file tree
Hide file tree
Showing 5 changed files with 46 additions and 0 deletions.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
6 changes: 6 additions & 0 deletions fetch/cross-origin-resource-policy/resources/hello.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
def main(request, response):
headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
if 'origin' in request.headers:
headers.append(('Access-Control-Allow-Origin', request.headers['origin']))

return 200, headers, "hello"
20 changes: 20 additions & 0 deletions fetch/cross-origin-resource-policy/resources/image.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
import os.path

def main(request, response):
type = request.GET.first("type", None)

body = open(os.path.join(os.path.dirname(__file__), "green.png"), "rb").read()

response.add_required_headers = False
response.writer.write_status(200)

if 'corp' in request.GET:
response.writer.write_header("cross-origin-resource-policy", request.GET['corp'])
if 'acao' in request.GET:
response.writer.write_header("access-control-allow-origin", request.GET['acao'])
response.writer.write_header("content-length", len(body))
if(type != None):
response.writer.write_header("content-type", type)
response.writer.end_headers()

response.writer.write(body)
7 changes: 7 additions & 0 deletions fetch/cross-origin-resource-policy/scheme-restriction.any.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
// META: script=/common/get-host-info.sub.js

promise_test(t => {
return promise_rejects(t,
new TypeError(),
fetch(get_host_info().HTTPS_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site", { mode: "no-cors" }));
}, "Cross-Origin-Resource-Policy: same-site's scheme restriction");
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
// META: script=/common/get-host-info.sub.js

promise_test(t => {
const img = new Image();
img.src = get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/image.py?corp=same-site";
return new Promise((resolve, reject) => {
img.onload = resolve;
img.onerror = reject;
document.body.appendChild(img);
}).finally(() => {
img.remove();
});
}, "Cross-Origin-Resource-Policy does not block Mixed Content <img>");

0 comments on commit cd37c77

Please sign in to comment.