From cd37c7733209aaebc5160b25fb457884eddbc9b5 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 8 Jun 2018 12:48:10 +0200
Subject: [PATCH] Fetch: test Cross-Origin-Resource-Policy: same-site's scheme
 restriction

Supplements #11171.

For https://github.com/whatwg/fetch/pull/733.
---
 .../resources/green.png                       | Bin 0 -> 87 bytes
 .../resources/hello.py                        |   6 ++++++
 .../resources/image.py                        |  20 ++++++++++++++++++
 .../scheme-restriction.any.js                 |   7 ++++++
 .../scheme-restriction.https.window.js        |  13 ++++++++++++
 5 files changed, 46 insertions(+)
 create mode 100644 fetch/cross-origin-resource-policy/resources/green.png
 create mode 100644 fetch/cross-origin-resource-policy/resources/hello.py
 create mode 100644 fetch/cross-origin-resource-policy/resources/image.py
 create mode 100644 fetch/cross-origin-resource-policy/scheme-restriction.any.js
 create mode 100644 fetch/cross-origin-resource-policy/scheme-restriction.https.window.js

diff --git a/fetch/cross-origin-resource-policy/resources/green.png b/fetch/cross-origin-resource-policy/resources/green.png
new file mode 100644
index 0000000000000000000000000000000000000000..28a1faab37797ef39454aa1deac1b470712f7be4
GIT binary patch
literal 87
zcmeAS@N?(olHy`uVBq!ia0vp^DL`z*$P6SW{C@KnNHGWagt#*NXE2F7umZ^C_jGX#
j(GX2ekYHV$kio>jw1<IF`tIWiKq&@KS3j3^P6<r_F*+3V

literal 0
HcmV?d00001

diff --git a/fetch/cross-origin-resource-policy/resources/hello.py b/fetch/cross-origin-resource-policy/resources/hello.py
new file mode 100644
index 000000000000000..2b7cb6c6fc9fa99
--- /dev/null
+++ b/fetch/cross-origin-resource-policy/resources/hello.py
@@ -0,0 +1,6 @@
+def main(request, response):
+    headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
+    if 'origin' in request.headers:
+        headers.append(('Access-Control-Allow-Origin', request.headers['origin']))
+
+    return 200, headers, "hello"
diff --git a/fetch/cross-origin-resource-policy/resources/image.py b/fetch/cross-origin-resource-policy/resources/image.py
new file mode 100644
index 000000000000000..ad9295cf6828740
--- /dev/null
+++ b/fetch/cross-origin-resource-policy/resources/image.py
@@ -0,0 +1,20 @@
+import os.path
+
+def main(request, response):
+    type = request.GET.first("type", None)
+
+    body = open(os.path.join(os.path.dirname(__file__), "green.png"), "rb").read()
+
+    response.add_required_headers = False
+    response.writer.write_status(200)
+
+    if 'corp' in request.GET:
+        response.writer.write_header("cross-origin-resource-policy", request.GET['corp'])
+    if 'acao' in request.GET:
+        response.writer.write_header("access-control-allow-origin", request.GET['acao'])
+    response.writer.write_header("content-length", len(body))
+    if(type != None):
+      response.writer.write_header("content-type", type)
+    response.writer.end_headers()
+
+    response.writer.write(body)
diff --git a/fetch/cross-origin-resource-policy/scheme-restriction.any.js b/fetch/cross-origin-resource-policy/scheme-restriction.any.js
new file mode 100644
index 000000000000000..d16c59024741074
--- /dev/null
+++ b/fetch/cross-origin-resource-policy/scheme-restriction.any.js
@@ -0,0 +1,7 @@
+// META: script=/common/get-host-info.sub.js
+
+promise_test(t => {
+  return promise_rejects(t,
+                         new TypeError(),
+                         fetch(get_host_info().HTTPS_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site", { mode: "no-cors" }));
+}, "Cross-Origin-Resource-Policy: same-site's scheme restriction");
diff --git a/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js b/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js
new file mode 100644
index 000000000000000..4c7457187419e05
--- /dev/null
+++ b/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js
@@ -0,0 +1,13 @@
+// META: script=/common/get-host-info.sub.js
+
+promise_test(t => {
+  const img = new Image();
+  img.src = get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/image.py?corp=same-site";
+  return new Promise((resolve, reject) => {
+    img.onload = resolve;
+    img.onerror = reject;
+    document.body.appendChild(img);
+  }).finally(() => {
+    img.remove();
+  });
+}, "Cross-Origin-Resource-Policy does not block Mixed Content <img>");