diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:13:33 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:13:33 +0000 |
| commit | 086c044dc34dfc0f74fbe41f4ecb402b2cd34884 (patch) | |
| tree | a4f824bd33cb075dd5aa3eb5a0a94af221bbe83a /testing/web-platform/tests/fetch/private-network-access | |
| parent | Adding debian version 124.0.1-1. (diff) | |
| download | firefox-086c044dc34dfc0f74fbe41f4ecb402b2cd34884.tar.xz firefox-086c044dc34dfc0f74fbe41f4ecb402b2cd34884.zip | |
Merging upstream version 125.0.1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/fetch/private-network-access')
8 files changed, 468 insertions, 82 deletions
diff --git a/testing/web-platform/tests/fetch/private-network-access/anchor.tentative.https.window.js b/testing/web-platform/tests/fetch/private-network-access/anchor.tentative.https.window.js index 4e860ad381..f5473868b7 100644 --- a/testing/web-platform/tests/fetch/private-network-access/anchor.tentative.https.window.js +++ b/testing/web-platform/tests/fetch/private-network-access/anchor.tentative.https.window.js @@ -149,6 +149,44 @@ subsetTestByKey("from-public", promise_test_parallel, t => anchorTest(t, { expected: NavigationTestResult.SUCCESS, }), "public to public: no preflight required."); +subsetTestByKey( + 'from-public', promise_test_parallel, + t => anchorTest(t, { + source: {server: Server.HTTPS_PUBLIC}, + target: { + server: Server.HTTPS_PUBLIC, + behavior: { + redirect: preflightUrl({ + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.noCorsHeader(token()), + } + }), + } + }, + expected: NavigationTestResult.FAILURE, + }), + 'public to public redirected to private: missing CORS headers.'); + +subsetTestByKey( + 'from-public', promise_test_parallel, + t => anchorTest(t, { + source: {server: Server.HTTPS_PUBLIC}, + target: { + server: Server.HTTPS_PUBLIC, + behavior: { + redirect: preflightUrl({ + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.navigation(token()), + } + }), + } + }, + expected: NavigationTestResult.SUCCESS, + }), + 'public to public to private: success.'); + // The following tests verify that `CSP: treat-as-public-address` makes // documents behave as if they had been served from a public IP address. diff --git a/testing/web-platform/tests/fetch/private-network-access/resources/service-worker-fetch-all.js b/testing/web-platform/tests/fetch/private-network-access/resources/service-worker-fetch-all.js new file mode 100644 index 0000000000..78ac8d1576 --- /dev/null +++ b/testing/web-platform/tests/fetch/private-network-access/resources/service-worker-fetch-all.js @@ -0,0 +1,20 @@ +self.addEventListener("install", () => { + // Skip waiting before replacing the previously-active service worker, if any. + // This allows the bridge script to notice the controller change and query + // the install time via fetch. + self.skipWaiting(); +}); + +self.addEventListener("activate", (event) => { + // Claim all clients so that the bridge script notices the activation. + event.waitUntil(self.clients.claim()); +}); + +self.addEventListener("fetch", (event) => { + const url = new URL(event.request.url).searchParams.get("proxied-url"); + if (url) { + event.respondWith(fetch(url)); + } else { + event.respondWith(fetch(event.request)); + } +}); diff --git a/testing/web-platform/tests/fetch/private-network-access/resources/support.sub.js b/testing/web-platform/tests/fetch/private-network-access/resources/support.sub.js index 46a9d9e076..1cb432b787 100644 --- a/testing/web-platform/tests/fetch/private-network-access/resources/support.sub.js +++ b/testing/web-platform/tests/fetch/private-network-access/resources/support.sub.js @@ -480,6 +480,13 @@ const NavigationTestResult = { }; async function windowOpenTest(t, { source, target, expected }) { + if (target.behavior && target.behavior.redirect) { + target.behavior.redirect.searchParams.set('file', 'openee.html'); + target.behavior.redirect.searchParams.set( + 'file-if-no-preflight-received', + 'no-preflight-received.html', + ); + } const targetUrl = preflightUrl(target); targetUrl.searchParams.set("file", "openee.html"); targetUrl.searchParams.set( @@ -507,6 +514,13 @@ async function windowOpenTest(t, { source, target, expected }) { } async function windowOpenExistingTest(t, { source, target, expected }) { + if (target.behavior && target.behavior.redirect) { + target.behavior.redirect.searchParams.set('file', 'openee.html'); + target.behavior.redirect.searchParams.set( + 'file-if-no-preflight-received', + 'no-preflight-received.html', + ); + } const targetUrl = preflightUrl(target); targetUrl.searchParams.set("file", "openee.html"); targetUrl.searchParams.set( @@ -535,6 +549,13 @@ async function windowOpenExistingTest(t, { source, target, expected }) { } async function anchorTest(t, { source, target, expected }) { + if (target.behavior && target.behavior.redirect) { + target.behavior.redirect.searchParams.set('file', 'openee.html'); + target.behavior.redirect.searchParams.set( + 'file-if-no-preflight-received', + 'no-preflight-received.html', + ); + } const targetUrl = preflightUrl(target); targetUrl.searchParams.set("file", "openee.html"); targetUrl.searchParams.set( @@ -855,3 +876,66 @@ async function sharedWorkerBlobFetchTest(t, { source, target, expected }) { assert_equals(status, expected.status, "response status"); assert_equals(body, expected.body, "response body"); } + +async function makeServiceWorkerTest(t, { source, target, expected, fetch_document=false }) { + const bridgeUrl = resolveUrl( + "resources/service-worker-bridge.html", + sourceResolveOptions({ server: source.server })); + + const scriptUrl = fetch_document? + resolveUrl("resources/service-worker-fetch-all.js", sourceResolveOptions(source)): + resolveUrl("resources/service-worker.js", sourceResolveOptions(source)); + + const realTargetUrl = preflightUrl(target); + + // Fetch a URL within the service worker's scope, but tell it which URL to + // really fetch. + const targetUrl = new URL("service-worker-proxy", scriptUrl); + targetUrl.searchParams.append("proxied-url", realTargetUrl.href); + + const iframe = await appendIframe(t, document, bridgeUrl); + + const request = (message) => { + const reply = futureMessage(); + iframe.contentWindow.postMessage(message, "*"); + return reply; + }; + + { + const { error, loaded } = await request({ + action: "register", + url: scriptUrl.href, + }); + + assert_equals(error, undefined, "register error"); + assert_true(loaded, "response loaded"); + } + + try { + const { controlled, numControllerChanges } = await request({ + action: "wait", + numControllerChanges: 1, + }); + + assert_equals(numControllerChanges, 1, "controller change"); + assert_true(controlled, "bridge script is controlled"); + + const { error, ok, body } = await request({ + action: "fetch", + url: targetUrl.href, + }); + + assert_equals(error, expected.error, "fetch error"); + assert_equals(ok, expected.ok, "response ok"); + assert_equals(body, expected.body, "response body"); + } finally { + // Always unregister the service worker. + const { error, unregistered } = await request({ + action: "unregister", + scope: new URL("./", scriptUrl).href, + }); + + assert_equals(error, undefined, "unregister error"); + assert_true(unregistered, "unregistered"); + } +} diff --git a/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch-document-treat-as-public.tentative.https.window.js b/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch-document-treat-as-public.tentative.https.window.js new file mode 100644 index 0000000000..6fc29ce472 --- /dev/null +++ b/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch-document-treat-as-public.tentative.https.window.js @@ -0,0 +1,101 @@ +// META: script=/common/utils.js +// META: script=resources/support.sub.js +// +// Spec: https://wicg.github.io/private-network-access/#integration-fetch +// +// These tests check that fetches from within `ServiceWorker` scripts are +// subject to Private Network Access checks, just like fetches from within +// documents. + +// Results that may be expected in tests. +const TestResult = { + SUCCESS: { ok: true, body: "success" }, + FAILURE: { error: "TypeError" }, +}; + +promise_test(t => makeServiceWorkerTest(t, { + source: { + server: Server.HTTPS_LOCAL, + treatAsPublic: true, + }, + target: { + server: Server.OTHER_HTTPS_LOCAL, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, + }, + expected: TestResult.FAILURE, + fetch_document: true, +}), "treat-as-public to local: failed preflight."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { + server: Server.HTTPS_LOCAL, + treatAsPublic: true, + }, + target: { + server: Server.OTHER_HTTPS_LOCAL, + behavior: { + preflight: PreflightBehavior.success(token()), + response: ResponseBehavior.allowCrossOrigin(), + }, + }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "treat-as-public to local: success."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { + server: Server.HTTPS_LOCAL, + treatAsPublic: true, + }, + target: { server: Server.HTTPS_LOCAL }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "treat-as-public to local (same-origin): no preflight required."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { + server: Server.HTTPS_LOCAL, + treatAsPublic: true, + }, + target: { + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, + }, + expected: TestResult.FAILURE, + fetch_document: true, +}), "treat-as-public to private: failed preflight."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { + server: Server.HTTPS_LOCAL, + treatAsPublic: true, + }, + target: { + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.success(token()), + response: ResponseBehavior.allowCrossOrigin(), + }, + }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "treat-as-public to private: success."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { + server: Server.HTTPS_LOCAL, + treatAsPublic: true, + }, + target: { + server: Server.HTTPS_PUBLIC, + behavior: { response: ResponseBehavior.allowCrossOrigin() }, + }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "treat-as-public to public: success."); diff --git a/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch-document.tentative.https.window.js b/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch-document.tentative.https.window.js new file mode 100644 index 0000000000..ec380555a8 --- /dev/null +++ b/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch-document.tentative.https.window.js @@ -0,0 +1,114 @@ +// META: script=/common/utils.js +// META: script=resources/support.sub.js +// +// Spec: https://wicg.github.io/private-network-access/#integration-fetch +// +// These tests check that fetches from within `ServiceWorker` scripts are +// subject to Private Network Access checks, just like fetches from within +// documents. + +// Results that may be expected in tests. +const TestResult = { + SUCCESS: { ok: true, body: "success" }, + FAILURE: { error: "TypeError" }, +}; + +promise_test(t => makeServiceWorkerTest(t, { + source: { server: Server.HTTPS_LOCAL }, + target: { server: Server.HTTPS_LOCAL }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "local to local: success."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { server: Server.HTTPS_PRIVATE }, + target: { + server: Server.HTTPS_LOCAL, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, + }, + expected: TestResult.FAILURE, + fetch_document: true, +}), "private to local: failed preflight."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { server: Server.HTTPS_PRIVATE }, + target: { + server: Server.HTTPS_LOCAL, + behavior: { + preflight: PreflightBehavior.success(token()), + response: ResponseBehavior.allowCrossOrigin(), + }, + }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "private to local: success."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { server: Server.HTTPS_PRIVATE }, + target: { server: Server.HTTPS_PRIVATE }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "private to private: success."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { server: Server.HTTPS_PUBLIC }, + target: { + server: Server.HTTPS_LOCAL, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, + }, + expected: TestResult.FAILURE, + fetch_document: true, +}), "public to local: failed preflight."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { server: Server.HTTPS_PUBLIC }, + target: { + server: Server.HTTPS_LOCAL, + behavior: { + preflight: PreflightBehavior.success(token()), + response: ResponseBehavior.allowCrossOrigin(), + }, + }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "public to local: success."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { server: Server.HTTPS_PUBLIC }, + target: { + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, + }, + expected: TestResult.FAILURE, + fetch_document: true, +}), "public to private: failed preflight."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { server: Server.HTTPS_PUBLIC }, + target: { + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.success(token()), + response: ResponseBehavior.allowCrossOrigin(), + }, + }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "public to private: success."); + +promise_test(t => makeServiceWorkerTest(t, { + source: { server: Server.HTTPS_PUBLIC }, + target: { server: Server.HTTPS_PUBLIC }, + expected: TestResult.SUCCESS, + fetch_document: true, +}), "public to public: success."); + diff --git a/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch.tentative.https.window.js b/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch.tentative.https.window.js index cb6d1f79b0..5fc5800ba0 100644 --- a/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch.tentative.https.window.js +++ b/testing/web-platform/tests/fetch/private-network-access/service-worker-fetch.tentative.https.window.js @@ -16,84 +16,25 @@ const TestResult = { FAILURE: { error: "TypeError" }, }; -async function makeTest(t, { source, target, expected }) { - const bridgeUrl = resolveUrl( - "resources/service-worker-bridge.html", - sourceResolveOptions({ server: source.server })); - - const scriptUrl = - resolveUrl("resources/service-worker.js", sourceResolveOptions(source)); - - const realTargetUrl = preflightUrl(target); - - // Fetch a URL within the service worker's scope, but tell it which URL to - // really fetch. - const targetUrl = new URL("service-worker-proxy", scriptUrl); - targetUrl.searchParams.append("proxied-url", realTargetUrl.href); - - const iframe = await appendIframe(t, document, bridgeUrl); - - const request = (message) => { - const reply = futureMessage(); - iframe.contentWindow.postMessage(message, "*"); - return reply; - }; - - { - const { error, loaded } = await request({ - action: "register", - url: scriptUrl.href, - }); - - assert_equals(error, undefined, "register error"); - assert_true(loaded, "response loaded"); - } - - try { - const { controlled, numControllerChanges } = await request({ - action: "wait", - numControllerChanges: 1, - }); - - assert_equals(numControllerChanges, 1, "controller change"); - assert_true(controlled, "bridge script is controlled"); - - const { error, ok, body } = await request({ - action: "fetch", - url: targetUrl.href, - }); - - assert_equals(error, expected.error, "fetch error"); - assert_equals(ok, expected.ok, "response ok"); - assert_equals(body, expected.body, "response body"); - } finally { - // Always unregister the service worker. - const { error, unregistered } = await request({ - action: "unregister", - scope: new URL("./", scriptUrl).href, - }); - - assert_equals(error, undefined, "unregister error"); - assert_true(unregistered, "unregistered"); - } -} - -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_LOCAL }, target: { server: Server.HTTPS_LOCAL }, expected: TestResult.SUCCESS, }), "local to local: success."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_PRIVATE }, target: { server: Server.HTTPS_LOCAL, - behavior: { response: ResponseBehavior.allowCrossOrigin() }, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, }, expected: TestResult.FAILURE, }), "private to local: failed preflight."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_PRIVATE }, target: { server: Server.HTTPS_LOCAL, @@ -105,22 +46,25 @@ subsetTest(promise_test, t => makeTest(t, { expected: TestResult.SUCCESS, }), "private to local: success."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_PRIVATE }, target: { server: Server.HTTPS_PRIVATE }, expected: TestResult.SUCCESS, }), "private to private: success."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_PUBLIC }, target: { server: Server.HTTPS_LOCAL, - behavior: { response: ResponseBehavior.allowCrossOrigin() }, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, }, expected: TestResult.FAILURE, }), "public to local: failed preflight."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_PUBLIC }, target: { server: Server.HTTPS_LOCAL, @@ -132,16 +76,19 @@ subsetTest(promise_test, t => makeTest(t, { expected: TestResult.SUCCESS, }), "public to local: success."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_PUBLIC }, target: { server: Server.HTTPS_PRIVATE, - behavior: { response: ResponseBehavior.allowCrossOrigin() }, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, }, expected: TestResult.FAILURE, }), "public to private: failed preflight."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_PUBLIC }, target: { server: Server.HTTPS_PRIVATE, @@ -153,25 +100,28 @@ subsetTest(promise_test, t => makeTest(t, { expected: TestResult.SUCCESS, }), "public to private: success."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_PUBLIC }, target: { server: Server.HTTPS_PUBLIC }, expected: TestResult.SUCCESS, }), "public to public: success."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_LOCAL, treatAsPublic: true, }, target: { server: Server.OTHER_HTTPS_LOCAL, - behavior: { response: ResponseBehavior.allowCrossOrigin() }, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, }, expected: TestResult.FAILURE, }), "treat-as-public to local: failed preflight."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_LOCAL, treatAsPublic: true, @@ -186,7 +136,7 @@ subsetTest(promise_test, t => makeTest(t, { expected: TestResult.SUCCESS, }), "treat-as-public to local: success."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_LOCAL, treatAsPublic: true, @@ -195,19 +145,22 @@ subsetTest(promise_test, t => makeTest(t, { expected: TestResult.SUCCESS, }), "treat-as-public to local (same-origin): no preflight required."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_LOCAL, treatAsPublic: true, }, target: { server: Server.HTTPS_PRIVATE, - behavior: { response: ResponseBehavior.allowCrossOrigin() }, + behavior: { + preflight: PreflightBehavior.failure(), + response: ResponseBehavior.allowCrossOrigin() + }, }, expected: TestResult.FAILURE, }), "treat-as-public to private: failed preflight."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_LOCAL, treatAsPublic: true, @@ -222,7 +175,7 @@ subsetTest(promise_test, t => makeTest(t, { expected: TestResult.SUCCESS, }), "treat-as-public to private: success."); -subsetTest(promise_test, t => makeTest(t, { +subsetTest(promise_test, t => makeServiceWorkerTest(t, { source: { server: Server.HTTPS_LOCAL, treatAsPublic: true, diff --git a/testing/web-platform/tests/fetch/private-network-access/window-open-existing.tentative.https.window.js b/testing/web-platform/tests/fetch/private-network-access/window-open-existing.tentative.https.window.js index 6a2a624fc8..565a2117a8 100644 --- a/testing/web-platform/tests/fetch/private-network-access/window-open-existing.tentative.https.window.js +++ b/testing/web-platform/tests/fetch/private-network-access/window-open-existing.tentative.https.window.js @@ -167,6 +167,44 @@ subsetTestByKey( }), 'public to public: no preflight required.'); +subsetTestByKey( + 'from-public', promise_test_parallel, + t => windowOpenExistingTest(t, { + source: {server: Server.HTTPS_PUBLIC}, + target: { + server: Server.HTTPS_PUBLIC, + behavior: { + redirect: preflightUrl({ + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.noCorsHeader(token()), + } + }), + } + }, + expected: NavigationTestResult.FAILURE, + }), + 'public to public redirected to private: missing CORS headers.'); + +subsetTestByKey( + 'from-public', promise_test_parallel, + t => windowOpenExistingTest(t, { + source: {server: Server.HTTPS_PUBLIC}, + target: { + server: Server.HTTPS_PUBLIC, + behavior: { + redirect: preflightUrl({ + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.navigation(token()), + } + }), + } + }, + expected: NavigationTestResult.SUCCESS, + }), + 'public to public to private: success.'); + // The following tests verify that `CSP: treat-as-public-address` makes // documents behave as if they had been served from a public IP address. diff --git a/testing/web-platform/tests/fetch/private-network-access/window-open.tentative.https.window.js b/testing/web-platform/tests/fetch/private-network-access/window-open.tentative.https.window.js index 6793d1f3b4..42d70af4e4 100644 --- a/testing/web-platform/tests/fetch/private-network-access/window-open.tentative.https.window.js +++ b/testing/web-platform/tests/fetch/private-network-access/window-open.tentative.https.window.js @@ -149,6 +149,44 @@ subsetTestByKey("from-public", promise_test_parallel, t => windowOpenTest(t, { expected: NavigationTestResult.SUCCESS, }), "public to public: no preflight required."); +subsetTestByKey( + 'from-public', promise_test_parallel, + t => windowOpenTest(t, { + source: {server: Server.HTTPS_PUBLIC}, + target: { + server: Server.HTTPS_PUBLIC, + behavior: { + redirect: preflightUrl({ + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.noCorsHeader(token()), + } + }), + } + }, + expected: NavigationTestResult.FAILURE, + }), + 'public to public redirected to private: missing CORS headers.'); + +subsetTestByKey( + 'from-public', promise_test_parallel, + t => windowOpenTest(t, { + source: {server: Server.HTTPS_PUBLIC}, + target: { + server: Server.HTTPS_PUBLIC, + behavior: { + redirect: preflightUrl({ + server: Server.HTTPS_PRIVATE, + behavior: { + preflight: PreflightBehavior.navigation(token()), + } + }), + } + }, + expected: NavigationTestResult.SUCCESS, + }), + 'public to public to private: success.'); + // The following tests verify that `CSP: treat-as-public-address` makes // documents behave as if they had been served from a public IP address. |