summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/speculation-rules/prefetch/user-pass.https.html
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/speculation-rules/prefetch/user-pass.https.html')
-rw-r--r--testing/web-platform/tests/speculation-rules/prefetch/user-pass.https.html46
1 files changed, 46 insertions, 0 deletions
diff --git a/testing/web-platform/tests/speculation-rules/prefetch/user-pass.https.html b/testing/web-platform/tests/speculation-rules/prefetch/user-pass.https.html
new file mode 100644
index 0000000000..011e6137e6
--- /dev/null
+++ b/testing/web-platform/tests/speculation-rules/prefetch/user-pass.https.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/utils.js"></script>
+<script src="resources/utils.sub.js"></script>
+
+<meta name="variant" content="?cross-origin=true">
+<meta name="variant" content="?cross-origin=false">
+
+<script>
+ setup(() => assertSpeculationRulesIsSupported());
+
+ let cross_origin = Object.fromEntries(new URLSearchParams(location.search))["cross-origin"] === "true";
+ promise_test(async t => {
+ let executor = "authenticate.py";
+ let credentials = { username: "user", password: "pass" };
+ let agent = await spawnWindow(t, { executor, ...credentials });
+ let request_credentials = await agent.getRequestCredentials();
+ assert_equals(request_credentials.username, credentials.username);
+ assert_equals(request_credentials.password, credentials.password);
+
+ let host = cross_origin ? { hostname: PREFETCH_PROXY_BYPASS_HOST } : {};
+ let nextUrl = agent.getExecutorURL({ page: 2, executor, ...host });
+ await agent.forceSinglePrefetch(nextUrl, { requires: ["anonymous-client-ip-when-cross-origin"] });
+ await agent.navigate(nextUrl);
+
+ let requestHeaders = await agent.getRequestHeaders();
+ request_credentials = await agent.getRequestCredentials();
+ if (cross_origin) {
+ assert_equals(request_credentials.username, undefined);
+ assert_equals(request_credentials.password, undefined);
+
+ assert_in_array(requestHeaders.purpose, ["", "prefetch"]);
+ assert_equals(requestHeaders.sec_purpose, "prefetch;anonymous-client-ip");
+ }
+ else {
+ assert_equals(request_credentials.username, credentials.username);
+ assert_equals(request_credentials.password, credentials.password);
+
+ assert_prefetched(await agent.getRequestHeaders());
+ }
+ }, "test www-authenticate basic does not forward credentials to cross-origin pages.");
+</script>