// META: script=/common/get-host-info.sub.js
// META: script=/common/utils.js

// This file consists of tests for COEP reporting using Reporting-Endpoints
// header. It exclusively tests that reports can be sent to Reporting-Endpoint
// configured endpoint.
const { REMOTE_ORIGIN } = get_host_info();

const REPORT_ENDPOINT = token();
const REPORT_ONLY_ENDPOINT = token();
const FRAME_URL = `resources/reporting-empty-frame.html` +
  `?pipe=header(cross-origin-embedder-policy,require-corp;report-to="endpoint")` +
  `|header(cross-origin-embedder-policy-report-only,require-corp;report-to="report-only-endpoint")` +
  `|header(reporting-endpoints, endpoint="/html/cross-origin-embedder-policy/resources/report.py?key=${REPORT_ENDPOINT}"\\, report-only-endpoint="/html/cross-origin-embedder-policy/resources/report.py?key=${REPORT_ONLY_ENDPOINT}")`;

function wait(ms) {
  return new Promise(resolve => step_timeout(resolve, ms));
}

async function fetchReports(endpoint) {
  const res = await fetch(`resources/report.py?key=${endpoint}`, {
    cache: 'no-store'
  });
  if (res.status == 200) {
    return await res.json();
  }
  return [];
}

async function fetchCoepReport(
  endpoint, type, blockedUrl, contextUrl, disposition) {
  blockedUrl = new URL(blockedUrl, location).href;
  contextUrl = new URL(contextUrl, location).href;
  const reports = await fetchReports(endpoint);
  return reports.find(r => (
    r.type == 'coep' &&
    r.url == contextUrl &&
    r.body.type == type &&
    r.body.blockedURL === blockedUrl &&
    r.body.disposition === disposition));
}

async function checkCorpReportExists(
  endpoint, blockedUrl, contextUrl, destination, disposition) {
  blockedUrl = new URL(blockedUrl, location).href;
  contextUrl = new URL(contextUrl, location).href;
  contextUrl.replace(REPORT_ENDPOINT, "REPORT_ENDPOINT_UUID");
  contextUrl.replace(REPORT_ONLY_ENDPOINT, "REPORT_ONLY_ENDPOINT_UUID");
  const report = await fetchCoepReport(
    endpoint, 'corp', blockedUrl, contextUrl, disposition);
  assert_true(!!report,
    `A corp report with blockedURL ${blockedUrl.split("?")[0]} ` +
    `and url ${contextUrl} is not found.`);
  assert_equals(report.body.destination, destination);
}

async function checkNavigationReportExists(
  endpoint, blockedUrl, contextUrl, disposition) {
  blockedUrl = new URL(blockedUrl, location).href;
  contextUrl = new URL(contextUrl, location).href;
  contextUrl.replace(REPORT_ENDPOINT, "REPORT_ENDPOINT_UUID");
  contextUrl.replace(REPORT_ONLY_ENDPOINT, "REPORT_ONLY_ENDPOINT_UUID");
  const report = await fetchCoepReport(
    endpoint, 'navigation', blockedUrl, contextUrl, disposition);
  assert_true(!!report,
    `A navigation report with blockedURL ${blockedUrl.split("?")[0]} ` +
    `and url ${contextUrl} is not found.`);
}

promise_test(async t => {
  const iframe = document.createElement('iframe');
  t.add_cleanup(() => iframe.remove());

  iframe.src = FRAME_URL;
  await new Promise(resolve => {
    iframe.addEventListener('load', resolve, { once: true });
    document.body.appendChild(iframe);
  });

  const url = `${REMOTE_ORIGIN}/common/text-plain.txt?${token()}`;
  const init = { mode: 'no-cors', cache: 'no-store' };
  // The response comes from cross-origin, and doesn't have a CORP
  // header, so it is blocked.
  iframe.contentWindow.fetch(url, init).catch(() => { });

  // Wait for reports to be uploaded.
  await wait(1000);
  await checkCorpReportExists(
    REPORT_ENDPOINT, url, iframe.src, '', 'enforce');
  await checkCorpReportExists(
    REPORT_ONLY_ENDPOINT, url, iframe.src, '', 'reporting');
}, 'subresource CORP');

promise_test(async t => {
  const iframe = document.createElement('iframe');
  t.add_cleanup(() => iframe.remove());

  iframe.src = FRAME_URL;
  await new Promise(resolve => {
    iframe.addEventListener('load', resolve, { once: true });
    document.body.appendChild(iframe);
  });

  const url = `${REMOTE_ORIGIN}/common/blank.html?${token()}`;
  // The nested frame comes from cross-origin and doesn't have a CORP
  // header, so it is blocked.
  const nested = iframe.contentWindow.document.createElement('iframe');
  nested.src = url;
  iframe.contentWindow.document.body.appendChild(nested);

  // Wait for reports to be uploaded.
  await wait(1000);
  await checkCorpReportExists(
    REPORT_ENDPOINT, url, iframe.src, 'iframe', 'enforce');
  await checkCorpReportExists(
    REPORT_ONLY_ENDPOINT, url, iframe.src, 'iframe', 'reporting');
}, 'navigation CORP on cross origin');

promise_test(async (t) => {
  const iframe = document.createElement('iframe');
  t.add_cleanup(() => iframe.remove());

  iframe.src = FRAME_URL;
  const targetUrl = `/common/blank.html?${token()}`;
  iframe.addEventListener('load', t.step_func(() => {
    const nested = iframe.contentDocument.createElement('iframe');
    nested.src = targetUrl;
    // |nested| doesn't have COEP whereas |iframe| has, so it is blocked.
    iframe.contentDocument.body.appendChild(nested);
  }), { once: true });

  document.body.appendChild(iframe);

  // Wait for reports to be uploaded.
  await wait(1000);
  await checkNavigationReportExists(
    REPORT_ENDPOINT, targetUrl, iframe.src, 'enforce');
  await checkNavigationReportExists(
    REPORT_ONLY_ENDPOINT, targetUrl, iframe.src, 'reporting');
}, 'navigation CORP on same origin');