summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html')
-rw-r--r--testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html127
1 files changed, 127 insertions, 0 deletions
diff --git a/testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html b/testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html
new file mode 100644
index 0000000000..4029fc6f81
--- /dev/null
+++ b/testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html
@@ -0,0 +1,127 @@
+<!DOCTYPE html>
+<title>COEP for WebBundle subresource loading</title>
+<link
+ rel="help"
+ href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
+/>
+<link
+ rel="help"
+ href="https://html.spec.whatwg.org/multipage/origin.html#coep"
+/>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/test-helpers.js"></script>
+
+<body>
+ <!--
+ This wpt should run on an origin different from https://www1.web-platform.test:8444/,
+ from where cross-orign WebBundles are served.
+
+ This test uses a cross-origin WebBundle,
+ https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn,
+ which is served with an Access-Control-Allow-Origin response header.
+
+ `corp.wbn` includes three subresources:
+ a. `no-corp.js`, which doesn't include a Cross-Origin-Resource-Policy response header.
+ b. `corp-same-origin.js`, which includes a Cross-Origin-Resource-Policy: same-origin response header.
+ c. `corp-cross-origin.js`, which includes a Cross-Origin-Resource-Policy: cross-origin response header.
+ -->
+ <script type="webbundle">
+ {
+ "source": "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn",
+ "resources": [
+ "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/no-corp.js",
+ "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-same-origin.js",
+ "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js",
+ "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93",
+ "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34",
+ "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7"
+ ]
+ }
+ </script>
+ <script>
+ setup(() => {
+ assert_true(HTMLScriptElement.supports("webbundle"));
+ });
+
+ async function expectCOEPReport(func) {
+ const reportsPromise = new Promise((resolve) => {
+ const observer = new ReportingObserver((reports) => {
+ observer.disconnect();
+ resolve(reports.map((r) => r.toJSON()));
+ });
+ observer.observe();
+ });
+
+ await func();
+
+ const reports = await reportsPromise;
+ assert_equals(reports.length, 1);
+ assert_equals(reports[0].type, "coep");
+ assert_equals(reports[0].url, location.href);
+ return reports[0];
+ }
+
+ const prefix =
+ "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/";
+ const no_corp_url = "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93";
+ const corp_same_origin_url =
+ "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34";
+ const corp_cross_origin_url =
+ "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7";
+
+ promise_test(async () => {
+ const report = await expectCOEPReport(async () => {
+ await addScriptAndWaitForError(prefix + "no-corp.js");
+ });
+ assert_equals(report.body.blockedURL, prefix + "no-corp.js");
+ assert_equals(report.body.type, "corp");
+ assert_equals(report.body.disposition, "enforce");
+ assert_equals(report.body.destination, "script");
+ }, "Cross-origin subresource without Cross-Origin-Resource-Policy: header should be blocked and generate a report.");
+
+ promise_test(async () => {
+ await addScriptAndWaitForError(prefix + "corp-same-origin.js");
+ }, "Cross-origin subresource with Cross-Origin-Resource-Policy: same-origin should be blocked.");
+
+ promise_test(async () => {
+ await addScriptAndWaitForExecution(prefix + "corp-cross-origin.js");
+ }, "Cross-origin subresource with Cross-Origin-Resource-Policy: cross-origin should be loaded.");
+
+ promise_test(async () => {
+ const report = await expectCOEPReport(async () => {
+ const iframe = document.createElement("iframe");
+ iframe.src = no_corp_url;
+ document.body.appendChild(iframe);
+ });
+
+ assert_equals(report.body.blockedURL, no_corp_url);
+ assert_equals(report.body.type, "corp");
+ assert_equals(report.body.disposition, "enforce");
+ assert_equals(report.body.destination, "iframe");
+ }, "uuid-in-package iframe without Cross-Origin-Resource-Policy: header should be blocked and generate a report.");
+
+ promise_test(async () => {
+ const report = await expectCOEPReport(async () => {
+ const iframe = document.createElement("iframe");
+ iframe.src = corp_same_origin_url;
+ document.body.appendChild(iframe);
+ });
+
+ assert_equals(report.body.blockedURL, corp_same_origin_url);
+ assert_equals(report.body.type, "corp");
+ assert_equals(report.body.disposition, "enforce");
+ assert_equals(report.body.destination, "iframe");
+ }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: same-origin should be blocked and generate a report.");
+
+ promise_test(async () => {
+ const iframe = document.createElement("iframe");
+ iframe.src = corp_cross_origin_url;
+ await addElementAndWaitForLoad(iframe);
+ assert_equals(
+ await evalInIframe(iframe, "location.href"),
+ corp_cross_origin_url
+ );
+ }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: cross-origin should not be blocked.");
+ </script>
+</body>