1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
<!DOCTYPE html>
<meta charset=utf-8>
<title>The preload's referrerpolicy attribute should be respected</title>
<meta name="timeout" content="long">
<script src="resources/dummy.js?link-header-preload2"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="/common/utils.js"></script>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/preload/resources/preload_helper.js"></script>
<body>
<p>The preload's referrerpolicy attribute should be respected,
and consumed regardless of consumer referrer policy</p>
<script>
window.referrers = {};
const {REMOTE_ORIGIN} = get_host_info();
const loaders = {
header: async (t, {preloadPolicy, resourcePolicy, href, id}) => {
const iframe = document.createElement('iframe');
const params = new URLSearchParams();
params.set('href', href);
params.set('resource-policy', resourcePolicy);
if (preloadPolicy === '')
params.set('preload-policy', '');
else
params.set('preload-policy', `referrerpolicy=${preloadPolicy}`);
iframe.src = `resources/link-header-referrer-policy.py?${params.toString()}`;
t.add_cleanup(() => iframe.remove());
const done = new Promise(resolve => {
window.addEventListener('message', ({data}) => {
if (id in data.referrers)
resolve({actualReferrer: data.referrers[id], entries: data.entries});
})
});
document.body.appendChild(iframe);
const {actualReferrer, entries} = await done;
return {actualReferrer, unsafe: iframe.src, entries};
},
element: async (t, {preloadPolicy, resourcePolicy, href, id}) => {
const link = document.createElement('link');
link.href = href;
link.as = 'script';
link.rel = 'preload';
link.referrerPolicy = preloadPolicy;
const preloaded = new Promise(resolve => link.addEventListener('load', resolve));
t.add_cleanup(() => link.remove());
document.head.appendChild(link);
await preloaded;
const script = document.createElement('script');
script.src = href;
script.referrerPolicy = resourcePolicy;
const loaded = new Promise(resolve => script.addEventListener('load', resolve));
document.body.appendChild(script);
await loaded;
return {unsafe: location.href, actualReferrer: window.referrers[id], entries: performance.getEntriesByName(script.src).length}
},
};
function test_referrer_policy(preloadPolicy, resourcePolicy, crossOrigin, type) {
promise_test(async t => {
const id = token();
const href = `${crossOrigin ? REMOTE_ORIGIN : ''}/preload/resources/echo-referrer.py?uid=${id}`;
const {actualReferrer, unsafe, entries} = await loaders[type](t, {preloadPolicy, resourcePolicy, href, id})
assert_equals(entries, 1);
const origin = window.origin + '/';
switch (preloadPolicy) {
case '':
assert_equals(actualReferrer, crossOrigin ? origin : unsafe);
break;
case 'no-referrer':
assert_equals(actualReferrer, '');
break;
case 'same-origin':
assert_equals(actualReferrer, crossOrigin ? '' : unsafe);
break;
case 'origin-when-cross-origin':
case 'strict-origin-when-cross-origin':
assert_equals(actualReferrer, crossOrigin ? origin : unsafe);
break;
case 'origin':
assert_equals(actualReferrer, origin);
break;
case 'unsafe-url':
assert_equals(actualReferrer, unsafe);
break;
default:
assert_equals(actualReferrer, '');
break;
}
}, `referrer policy (${preloadPolicy} -> ${resourcePolicy}, ${type}, ${crossOrigin ? 'cross-origin' : 'same-origin'})`)
}
const policies = [
"",
"no-referrer",
"same-origin",
"origin",
"origin-when-cross-origin",
"strict-origin-when-cross-origin",
"unsafe-url"]
for (const preloadPolicy of policies) {
for (const resourcePolicy of policies) {
for (const type of ['element', 'header']) {
for (const crossOrigin of [true, false]) {
test_referrer_policy(preloadPolicy, resourcePolicy, crossOrigin, type);
}
}
}
}
</script>
</body>
|