WPT: Sec-Fetch-* headers aren't accessible in service workers.

As requested in whatwg/fetch#993. Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2727263 Reviewed-by: Matt Falkenhagen <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#859345}
web-platform-tests · Mar 3, 2021 · cdcfd00 · cdcfd00
1 parent 5b5efce
commit cdcfd00
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 0 deletions.
diff --git a/fetch/metadata/resources/serviceworker-accessors-frame.html b/fetch/metadata/resources/serviceworker-accessors-frame.html
@@ -0,0 +1,3 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Page Title</title>
diff --git a/fetch/metadata/resources/serviceworker-accessors.sw.js b/fetch/metadata/resources/serviceworker-accessors.sw.js
@@ -0,0 +1,14 @@
+addEventListener("fetch", event => {
+  event.waitUntil(async function () {
+    if (!event.clientId) return;
+    const client = await clients.get(event.clientId);
+    if (!client) return;
+
+    client.postMessage({
+      "dest": event.request.headers.get("sec-fetch-dest"),
+      "mode": event.request.headers.get("sec-fetch-mode"),
+      "site": event.request.headers.get("sec-fetch-site"),
+      "user": event.request.headers.get("sec-fetch-user")
+    });
+  }());
+});
diff --git a/fetch/metadata/serviceworker-accessors.https.sub.html b/fetch/metadata/serviceworker-accessors.https.sub.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<!--
+  This test verifies that Fetch Metadata headers are not exposed to Service
+  Workers via the request's `headers` accessor.
+-->
+<meta charset="utf-8"/>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/fetch/metadata/resources/helper.js></script>
+<script src=/service-workers/service-worker/resources/test-helpers.sub.js></script>
+<script src=/common/utils.js></script>
+<script>
+  const SCOPE = 'resources/serviceworker-accessors-frame.html';
+  const SCRIPT = 'resources/serviceworker-accessors.sw.js';
+
+  function assert_headers_not_seen_in_service_worker(frame) {
+    return new Promise((resolve, reject) => {
+      frame.contentWindow.fetch(SCOPE, {mode:'no-cors'});
+      frame.contentWindow.navigator.serviceWorker.addEventListener('message', e => {
+        assert_header_equals(e.data, {
+          "dest": null,
+          "mode": null,
+          "site": null,
+          "user": null
+        });
+        resolve();
+      });
+    });
+  }
+
+  promise_test(async function(t) {
+    const reg = await service_worker_unregister_and_register(t, SCRIPT, SCOPE);
+
+    t.add_cleanup(async () => {
+      if (reg)
+        await reg.unregister();
+    });
+
+    await wait_for_state(t, reg.installing, 'activated');
+
+    const frame = await with_iframe(SCOPE);
+    t.add_cleanup(async () => {
+      if (frame)
+        frame.remove();
+    });
+
+    // Trigger a fetch that will go through the service worker, and validate
+    // the visible headers.
+    await assert_headers_not_seen_in_service_worker(frame);
+  }, 'Sec-Fetch headers in Service Worker fetch handler.');
+</script>