Skip to content

Commit

Permalink
Fetch: Cross-Origin-Resource-Policy tests
Browse files Browse the repository at this point in the history
  • Loading branch information
youennf authored and annevk committed Jun 18, 2018
1 parent 04a0711 commit eab3b0e
Show file tree
Hide file tree
Showing 13 changed files with 365 additions and 0 deletions.
2 changes: 2 additions & 0 deletions common/get-host-info.sub.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ function get_host_info() {
var ORIGINAL_HOST = '{{host}}';
var REMOTE_HOST = (ORIGINAL_HOST === 'localhost') ? '127.0.0.1' : ('www1.' + ORIGINAL_HOST);
var OTHER_HOST = '{{domains[www2]}}';
var NOTSAMESITE_HOST = (ORIGINAL_HOST === 'localhost') ? '127.0.0.1' : ('not-' + ORIGINAL_HOST);

return {
HTTP_PORT: HTTP_PORT,
Expand All @@ -19,6 +20,7 @@ function get_host_info() {
HTTPS_ORIGIN_WITH_CREDS: 'https://foo:bar@' + ORIGINAL_HOST + ':' + HTTPS_PORT,
HTTP_ORIGIN_WITH_DIFFERENT_PORT: 'http://' + ORIGINAL_HOST + ':' + HTTP_PORT2,
HTTP_REMOTE_ORIGIN: 'http://' + REMOTE_HOST + ':' + HTTP_PORT,
HTTP_NOTSAMESITE_ORIGIN: 'http://' + NOTSAMESITE_HOST + ':' + HTTP_PORT,
HTTP_REMOTE_ORIGIN_WITH_DIFFERENT_PORT: 'http://' + REMOTE_HOST + ':' + HTTP_PORT2,
HTTPS_REMOTE_ORIGIN: 'https://' + REMOTE_HOST + ':' + HTTPS_PORT,
HTTPS_REMOTE_ORIGIN_WITH_CREDS: 'https://foo:bar@' + REMOTE_HOST + ':' + HTTPS_PORT,
Expand Down
67 changes: 67 additions & 0 deletions fetch/cross-origin-resource-policy/fetch-in-iframe.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
</head>
<body>
<script>
const host = get_host_info();
const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;

function with_iframe(url)
{
return new Promise(function(resolve) {
var frame = document.createElement('iframe');
frame.src = url;
frame.onload = function() { resolve(frame); };
document.body.appendChild(frame);
});
}

function loadIFrameAndFetch(iframeURL, fetchURL, expectedFetchResult, title)
{
promise_test(async () => {
const frame = await with_iframe(iframeURL);
let receiveMessage;
const promise = new Promise((resolve, reject) => {
receiveMessage = (event) => {
if (event.data !== expectedFetchResult) {
reject("Received unexpected message " + event.data);
return;
}
resolve();
}
window.addEventListener("message", receiveMessage, false);
});
frame.contentWindow.postMessage(fetchURL, "*");
return promise.finally(() => {
frame.remove();
window.removeEventListener("message", receiveMessage, false);
});
}, title);
}

// This above data URL should be equivalent to resources/iframeFetch.html
var dataIFrameURL = "data:text/html;base64,PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxzY3JpcHQ+CiAgICAgICAgZnVuY3Rpb24gcHJvY2Vzc01lc3NhZ2UoZXZlbnQpCiAgICAgICAgewogICAgICAgICAgICBmZXRjaChldmVudC5kYXRhLCB7IG1vZGU6ICJuby1jb3JzIiB9KS50aGVuKCgpID0+IHsKICAgICAgICAgICAgICAgIHBhcmVudC5wb3N0TWVzc2FnZSgib2siLCAiKiIpOwogICAgICAgICAgICB9LCAoKSA9PiB7CiAgICAgICAgICAgICAgICBwYXJlbnQucG9zdE1lc3NhZ2UoImtvIiwgIioiKTsKICAgICAgICAgICAgfSk7CiAgICAgICAgfQogICAgICAgIHdpbmRvdy5hZGRFdmVudExpc3RlbmVyKCJtZXNzYWdlIiwgcHJvY2Vzc01lc3NhZ2UsIGZhbHNlKTsKICAgIDwvc2NyaXB0Pgo8L2hlYWQ+Cjxib2R5PgogICAgPGgzPlRoZSBpZnJhbWUgbWFraW5nIGEgc2FtZSBvcmlnaW4gZmV0Y2ggY2FsbC48L2gzPgo8L2JvZHk+CjwvaHRtbD4K";

loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same-origin", "ko",
"Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same-site", "ko",
"Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header.");

loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", localBaseURL + "resources/hello.py?corp=same-origin", "ko",
"Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

loadIFrameAndFetch(notSameSiteBaseURL + "resources/iframeFetch.html", localBaseURL + "resources/hello.py?corp=same-site", "ko",
"Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header.");

loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", remoteBaseURL + "resources/hello.py?corp=same-origin", "ok",
"Same-origin fetch in a cross origin iframe load succeeds if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
</script>
</body>
</html>
83 changes: 83 additions & 0 deletions fetch/cross-origin-resource-policy/fetch.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
</head>
<body>
<script>
const host = get_host_info();
const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
const sameSiteBaseURL = "http://" + host.ORIGINAL_HOST + ":" + host.HTTP_PORT2 + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
const httpsBaseURL = host.HTTPS_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;

promise_test(async () => {
const response = await fetch("./resources/hello.py?corp=same-origin");
assert_equals(await response.text(), "hello");
}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

promise_test(async () => {
const response = await fetch("./resources/hello.py?corp=same-site");
assert_equals(await response.text(), "hello");
}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");

promise_test(async (test) => {
const response = await fetch(notSameSiteBaseURL + "resources/hello.py?corp=same-origin");
assert_equals(await response.text(), "hello");
}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

promise_test(async (test) => {
const response = await fetch(notSameSiteBaseURL + "resources/hello.py?corp=same-site");
assert_equals(await response.text(), "hello");
}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");

promise_test((test) => {
const remoteURL = notSameSiteBaseURL + "resources/hello.py?corp=same-origin";
return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" }));
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

promise_test((test) => {
const remoteURL = notSameSiteBaseURL + "resources/hello.py?corp=same-site";
return promise_rejects(test, new TypeError, fetch(remoteURL, { mode: "no-cors" }));
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");

promise_test((test) => {
const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-site";
return fetch(remoteURL, { mode: "no-cors" });
}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header.");

promise_test((test) => {
const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-origin";
return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" }));
}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

promise_test(async (test) => {
const remoteSameSiteURL = sameSiteBaseURL + "resources/hello.py?corp=same-site";

await fetch(remoteSameSiteURL, { mode: "no-cors" });

return promise_rejects(test, new TypeError, fetch(sameSiteBaseURL + "resources/hello.py?corp=same-origin", { mode: "no-cors" }));
}, "Valid cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");

promise_test((test) => {
const finalURL = notSameSiteBaseURL + "resources/hello.py?corp=same-origin";
return promise_rejects(test, new TypeError, fetch("resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" }));
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header after a redirection.");

promise_test((test) => {
const finalURL = localBaseURL + "resources/hello.py?corp=same-origin";
return fetch(notSameSiteBaseURL + "resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" });
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header after a cross-origin redirection.");

promise_test(async (test) => {
const finalURL = localBaseURL + "resources/hello.py?corp=same-origin";

await fetch(finalURL, { mode: "no-cors" });

return promise_rejects(test, new TypeError, fetch(notSameSiteBaseURL + "resources/redirect.py?corp=same-origin&redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" }));
}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' redirect response header.");
</script>
</body>
</html>
46 changes: 46 additions & 0 deletions fetch/cross-origin-resource-policy/iframe-loads.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
</head>
<body>
<script>
const host = get_host_info();
const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;

function with_iframe(url) {
return new Promise(function(resolve) {
var frame = document.createElement('iframe');
frame.src = url;
frame.onload = function() { resolve(frame); };
document.body.appendChild(frame);
});
}

promise_test(async() => {
const url = remoteBaseURL + "resources/iframe.py?corp=same-origin";

await new Promise((resolve, reject) => {
return fetch(url, { mode: "no-cors" }).then(reject, resolve);
});

const iframe = await with_iframe(url);
return new Promise((resolve, reject) => {
window.addEventListener("message", (event) => {
if (event.data !== "pong") {
reject(event.data);
return;
}
resolve();
}, false);
iframe.contentWindow.postMessage("ping", "*");
}).finally(() => {
iframe.remove();
});
}, "Load an iframe that has Cross-Origin-Resource-Policy header");
</script>
</body>
</html>
53 changes: 53 additions & 0 deletions fetch/cross-origin-resource-policy/image-loads.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
</head>
<body>
<div id="testDiv"></div>
<script>
const host = get_host_info();
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
const ok = true;
const ko = false;
const noCors = false;

function loadImage(url, shoudLoad, corsMode, title)
{
promise_test(() => {
const img = new Image();
if (corsMode)
img.crossOrigin = corsMode;
img.src = url;
return new Promise((resolve, reject) => {
img.onload = shoudLoad ? resolve : reject;
img.onerror = shoudLoad ? reject : resolve;
testDiv.appendChild(img);
}).finally(() => {
testDiv.innerHTML = "";
});
}, title);
}

loadImage("./resources/image.py?corp=same-origin", ok, noCors,
"Same-origin image load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

loadImage("./resources/image.py?corp=same-site", ok, noCors,
"Same-origin image load with a 'Cross-Origin-Resource-Policy: same-site' response header.");

loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-origin&acao=*", ok, "anonymous",
"Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-site&acao=*", ok, "anonymous",
"Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header.");

loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-origin&acao=*", ko, noCors,
"Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-site&acao=*", ko, noCors,
"Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header.");
</script>
</body>
</html>
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
6 changes: 6 additions & 0 deletions fetch/cross-origin-resource-policy/resources/hello.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
def main(request, response):
headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
if 'origin' in request.headers:
headers.append(('Access-Control-Allow-Origin', request.headers['origin']))

return 200, headers, "hello"
5 changes: 5 additions & 0 deletions fetch/cross-origin-resource-policy/resources/iframe.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
def main(request, response):
headers = [("Content-Type", "text/html"),
("Cross-Origin-Resource-Policy", request.GET['corp'])]
return 200, headers, "<body><h3>The iframe</h3><script>window.onmessage = () => { parent.postMessage('pong', '*'); }</script></body>"

19 changes: 19 additions & 0 deletions fetch/cross-origin-resource-policy/resources/iframeFetch.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!DOCTYPE html>
<html>
<head>
<script>
function processMessage(event)
{
fetch(event.data, { mode: "no-cors" }).then(() => {
parent.postMessage("ok", "*");
}, () => {
parent.postMessage("ko", "*");
});
}
window.addEventListener("message", processMessage, false);
</script>
</head>
<body>
<h3>The iframe making a same origin fetch call.</h3>
</body>
</html>
21 changes: 21 additions & 0 deletions fetch/cross-origin-resource-policy/resources/image.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
import os.path

def main(request, response):
type = request.GET.first("type", None)

body = open(os.path.join(os.path.dirname(__file__), "green.png"), "rb").read()

response.add_required_headers = False
response.writer.write_status(200)

if 'corp' in request.GET:
response.writer.write_header("cross-origin-resource-policy", request.GET['corp'])
if 'acao' in request.GET:
response.writer.write_header("access-control-allow-origin", request.GET['acao'])
response.writer.write_header("content-length", len(body))
if(type != None):
response.writer.write_header("content-type", type)
response.writer.end_headers()

response.writer.write(body)

6 changes: 6 additions & 0 deletions fetch/cross-origin-resource-policy/resources/redirect.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
def main(request, response):
headers = [("Location", request.GET['redirectTo'])]
if 'corp' in request.GET:
headers.append(('Cross-Origin-Resource-Policy', request.GET['corp']))

return 302, headers, ""
6 changes: 6 additions & 0 deletions fetch/cross-origin-resource-policy/resources/script.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
def main(request, response):
headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
if 'origin' in request.headers:
headers.append(('Access-Control-Allow-Origin', request.headers['origin']))

return 200, headers, ""
51 changes: 51 additions & 0 deletions fetch/cross-origin-resource-policy/script-loads.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
</head>
<body>
<div id="testDiv"></div>
<script>
const host = get_host_info();
const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
const ok = true;
const ko = false;
const noCors = false;

function loadScript(url, shoudLoad, corsMode, title)
{
promise_test(() => {
const script = document.createElement("script");
if (corsMode)
script.crossOrigin = corsMode;
script.src = url;
return new Promise((resolve, reject) => {
script.onload = shoudLoad ? resolve : reject;
script.onerror = shoudLoad ? reject : resolve;
testDiv.appendChild(script);
});
}, title);
}

loadScript("./resources/script.py?corp=same-origin", ok, noCors,
"Same-origin script load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

loadScript("./resources/script.py?corp=same-site", ok, noCors,
"Same-origin script load with a 'Cross-Origin-Resource-Policy: same-site' response header.");

loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-origin&acao=*", ok, "anonymous",
"Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-site&acao=*", ok, "anonymous",
"Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header.");

loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-origin&acao=*", ko, noCors,
"Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");

loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-site&acao=*", ko, noCors,
"Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header.");
</script>
</body>
</html>

0 comments on commit eab3b0e

Please sign in to comment.