forked from web-platform-tests/wpt
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fetch: Cross-Origin-Resource-Policy tests
For whatwg/fetch#733. WebKit export of https://bugs.webkit.org/show_bug.cgi?id=185840.
- Loading branch information
Showing
13 changed files
with
365 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
const host = get_host_info(); | ||
const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
|
||
function with_iframe(url) | ||
{ | ||
return new Promise(function(resolve) { | ||
var frame = document.createElement('iframe'); | ||
frame.src = url; | ||
frame.onload = function() { resolve(frame); }; | ||
document.body.appendChild(frame); | ||
}); | ||
} | ||
|
||
function loadIFrameAndFetch(iframeURL, fetchURL, expectedFetchResult, title) | ||
{ | ||
promise_test(async () => { | ||
const frame = await with_iframe(iframeURL); | ||
let receiveMessage; | ||
const promise = new Promise((resolve, reject) => { | ||
receiveMessage = (event) => { | ||
if (event.data !== expectedFetchResult) { | ||
reject("Received unexpected message " + event.data); | ||
return; | ||
} | ||
resolve(); | ||
} | ||
window.addEventListener("message", receiveMessage, false); | ||
}); | ||
frame.contentWindow.postMessage(fetchURL, "*"); | ||
return promise.finally(() => { | ||
frame.remove(); | ||
window.removeEventListener("message", receiveMessage, false); | ||
}); | ||
}, title); | ||
} | ||
|
||
// This above data URL should be equivalent to resources/iframeFetch.html | ||
var dataIFrameURL = "data:text/html;base64,PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxzY3JpcHQ+CiAgICAgICAgZnVuY3Rpb24gcHJvY2Vzc01lc3NhZ2UoZXZlbnQpCiAgICAgICAgewogICAgICAgICAgICBmZXRjaChldmVudC5kYXRhLCB7IG1vZGU6ICJuby1jb3JzIiB9KS50aGVuKCgpID0+IHsKICAgICAgICAgICAgICAgIHBhcmVudC5wb3N0TWVzc2FnZSgib2siLCAiKiIpOwogICAgICAgICAgICB9LCAoKSA9PiB7CiAgICAgICAgICAgICAgICBwYXJlbnQucG9zdE1lc3NhZ2UoImtvIiwgIioiKTsKICAgICAgICAgICAgfSk7CiAgICAgICAgfQogICAgICAgIHdpbmRvdy5hZGRFdmVudExpc3RlbmVyKCJtZXNzYWdlIiwgcHJvY2Vzc01lc3NhZ2UsIGZhbHNlKTsKICAgIDwvc2NyaXB0Pgo8L2hlYWQ+Cjxib2R5PgogICAgPGgzPlRoZSBpZnJhbWUgbWFraW5nIGEgc2FtZSBvcmlnaW4gZmV0Y2ggY2FsbC48L2gzPgo8L2JvZHk+CjwvaHRtbD4K"; | ||
|
||
loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same-origin", "ko", | ||
"Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same-site", "ko", | ||
"Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", localBaseURL + "resources/hello.py?corp=same-origin", "ko", | ||
"Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
loadIFrameAndFetch(notSameSiteBaseURL + "resources/iframeFetch.html", localBaseURL + "resources/hello.py?corp=same-site", "ko", | ||
"Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", remoteBaseURL + "resources/hello.py?corp=same-origin", "ok", | ||
"Same-origin fetch in a cross origin iframe load succeeds if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
const host = get_host_info(); | ||
const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
const sameSiteBaseURL = "http://" + host.ORIGINAL_HOST + ":" + host.HTTP_PORT2 + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
const httpsBaseURL = host.HTTPS_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
|
||
promise_test(async () => { | ||
const response = await fetch("./resources/hello.py?corp=same-origin"); | ||
assert_equals(await response.text(), "hello"); | ||
}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
promise_test(async () => { | ||
const response = await fetch("./resources/hello.py?corp=same-site"); | ||
assert_equals(await response.text(), "hello"); | ||
}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
promise_test(async (test) => { | ||
const response = await fetch(notSameSiteBaseURL + "resources/hello.py?corp=same-origin"); | ||
assert_equals(await response.text(), "hello"); | ||
}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
promise_test(async (test) => { | ||
const response = await fetch(notSameSiteBaseURL + "resources/hello.py?corp=same-site"); | ||
assert_equals(await response.text(), "hello"); | ||
}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
promise_test((test) => { | ||
const remoteURL = notSameSiteBaseURL + "resources/hello.py?corp=same-origin"; | ||
return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" })); | ||
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
promise_test((test) => { | ||
const remoteURL = notSameSiteBaseURL + "resources/hello.py?corp=same-site"; | ||
return promise_rejects(test, new TypeError, fetch(remoteURL, { mode: "no-cors" })); | ||
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
promise_test((test) => { | ||
const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-site"; | ||
return fetch(remoteURL, { mode: "no-cors" }); | ||
}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
promise_test((test) => { | ||
const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-origin"; | ||
return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" })); | ||
}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
promise_test(async (test) => { | ||
const remoteSameSiteURL = sameSiteBaseURL + "resources/hello.py?corp=same-site"; | ||
|
||
await fetch(remoteSameSiteURL, { mode: "no-cors" }); | ||
|
||
return promise_rejects(test, new TypeError, fetch(sameSiteBaseURL + "resources/hello.py?corp=same-origin", { mode: "no-cors" })); | ||
}, "Valid cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
promise_test((test) => { | ||
const finalURL = notSameSiteBaseURL + "resources/hello.py?corp=same-origin"; | ||
return promise_rejects(test, new TypeError, fetch("resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" })); | ||
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header after a redirection."); | ||
|
||
promise_test((test) => { | ||
const finalURL = localBaseURL + "resources/hello.py?corp=same-origin"; | ||
return fetch(notSameSiteBaseURL + "resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" }); | ||
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header after a cross-origin redirection."); | ||
|
||
promise_test(async (test) => { | ||
const finalURL = localBaseURL + "resources/hello.py?corp=same-origin"; | ||
|
||
await fetch(finalURL, { mode: "no-cors" }); | ||
|
||
return promise_rejects(test, new TypeError, fetch(notSameSiteBaseURL + "resources/redirect.py?corp=same-origin&redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" })); | ||
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' redirect response header."); | ||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
const host = get_host_info(); | ||
const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
|
||
function with_iframe(url) { | ||
return new Promise(function(resolve) { | ||
var frame = document.createElement('iframe'); | ||
frame.src = url; | ||
frame.onload = function() { resolve(frame); }; | ||
document.body.appendChild(frame); | ||
}); | ||
} | ||
|
||
promise_test(async() => { | ||
const url = remoteBaseURL + "resources/iframe.py?corp=same-origin"; | ||
|
||
await new Promise((resolve, reject) => { | ||
return fetch(url, { mode: "no-cors" }).then(reject, resolve); | ||
}); | ||
|
||
const iframe = await with_iframe(url); | ||
return new Promise((resolve, reject) => { | ||
window.addEventListener("message", (event) => { | ||
if (event.data !== "pong") { | ||
reject(event.data); | ||
return; | ||
} | ||
resolve(); | ||
}, false); | ||
iframe.contentWindow.postMessage("ping", "*"); | ||
}).finally(() => { | ||
iframe.remove(); | ||
}); | ||
}, "Load an iframe that has Cross-Origin-Resource-Policy header"); | ||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
</head> | ||
<body> | ||
<div id="testDiv"></div> | ||
<script> | ||
const host = get_host_info(); | ||
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
const ok = true; | ||
const ko = false; | ||
const noCors = false; | ||
|
||
function loadImage(url, shoudLoad, corsMode, title) | ||
{ | ||
promise_test(() => { | ||
const img = new Image(); | ||
if (corsMode) | ||
img.crossOrigin = corsMode; | ||
img.src = url; | ||
return new Promise((resolve, reject) => { | ||
img.onload = shoudLoad ? resolve : reject; | ||
img.onerror = shoudLoad ? reject : resolve; | ||
testDiv.appendChild(img); | ||
}).finally(() => { | ||
testDiv.innerHTML = ""; | ||
}); | ||
}, title); | ||
} | ||
|
||
loadImage("./resources/image.py?corp=same-origin", ok, noCors, | ||
"Same-origin image load with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
loadImage("./resources/image.py?corp=same-site", ok, noCors, | ||
"Same-origin image load with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-origin&acao=*", ok, "anonymous", | ||
"Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-site&acao=*", ok, "anonymous", | ||
"Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-origin&acao=*", ko, noCors, | ||
"Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-site&acao=*", ko, noCors, | ||
"Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
</script> | ||
</body> | ||
</html> |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
def main(request, response): | ||
headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])] | ||
if 'origin' in request.headers: | ||
headers.append(('Access-Control-Allow-Origin', request.headers['origin'])) | ||
|
||
return 200, headers, "hello" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
def main(request, response): | ||
headers = [("Content-Type", "text/html"), | ||
("Cross-Origin-Resource-Policy", request.GET['corp'])] | ||
return 200, headers, "<body><h3>The iframe</h3><script>window.onmessage = () => { parent.postMessage('pong', '*'); }</script></body>" | ||
|
19 changes: 19 additions & 0 deletions
19
fetch/cross-origin-resource-policy/resources/iframeFetch.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<script> | ||
function processMessage(event) | ||
{ | ||
fetch(event.data, { mode: "no-cors" }).then(() => { | ||
parent.postMessage("ok", "*"); | ||
}, () => { | ||
parent.postMessage("ko", "*"); | ||
}); | ||
} | ||
window.addEventListener("message", processMessage, false); | ||
</script> | ||
</head> | ||
<body> | ||
<h3>The iframe making a same origin fetch call.</h3> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
import os.path | ||
|
||
def main(request, response): | ||
type = request.GET.first("type", None) | ||
|
||
body = open(os.path.join(os.path.dirname(__file__), "green.png"), "rb").read() | ||
|
||
response.add_required_headers = False | ||
response.writer.write_status(200) | ||
|
||
if 'corp' in request.GET: | ||
response.writer.write_header("cross-origin-resource-policy", request.GET['corp']) | ||
if 'acao' in request.GET: | ||
response.writer.write_header("access-control-allow-origin", request.GET['acao']) | ||
response.writer.write_header("content-length", len(body)) | ||
if(type != None): | ||
response.writer.write_header("content-type", type) | ||
response.writer.end_headers() | ||
|
||
response.writer.write(body) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
def main(request, response): | ||
headers = [("Location", request.GET['redirectTo'])] | ||
if 'corp' in request.GET: | ||
headers.append(('Cross-Origin-Resource-Policy', request.GET['corp'])) | ||
|
||
return 302, headers, "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
def main(request, response): | ||
headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])] | ||
if 'origin' in request.headers: | ||
headers.append(('Access-Control-Allow-Origin', request.headers['origin'])) | ||
|
||
return 200, headers, "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
</head> | ||
<body> | ||
<div id="testDiv"></div> | ||
<script> | ||
const host = get_host_info(); | ||
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ; | ||
const ok = true; | ||
const ko = false; | ||
const noCors = false; | ||
|
||
function loadScript(url, shoudLoad, corsMode, title) | ||
{ | ||
promise_test(() => { | ||
const script = document.createElement("script"); | ||
if (corsMode) | ||
script.crossOrigin = corsMode; | ||
script.src = url; | ||
return new Promise((resolve, reject) => { | ||
script.onload = shoudLoad ? resolve : reject; | ||
script.onerror = shoudLoad ? reject : resolve; | ||
testDiv.appendChild(script); | ||
}); | ||
}, title); | ||
} | ||
|
||
loadScript("./resources/script.py?corp=same-origin", ok, noCors, | ||
"Same-origin script load with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
loadScript("./resources/script.py?corp=same-site", ok, noCors, | ||
"Same-origin script load with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-origin&acao=*", ok, "anonymous", | ||
"Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-site&acao=*", ok, "anonymous", | ||
"Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
|
||
loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-origin&acao=*", ko, noCors, | ||
"Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same-origin' response header."); | ||
|
||
loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-site&acao=*", ko, noCors, | ||
"Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header."); | ||
</script> | ||
</body> | ||
</html> |