diff options
Diffstat (limited to 'testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html')
-rw-r--r-- | testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html b/testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html new file mode 100644 index 0000000000..4029fc6f81 --- /dev/null +++ b/testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html @@ -0,0 +1,127 @@ +<!DOCTYPE html> +<title>COEP for WebBundle subresource loading</title> +<link + rel="help" + href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md" +/> +<link + rel="help" + href="https://html.spec.whatwg.org/multipage/origin.html#coep" +/> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="../resources/test-helpers.js"></script> + +<body> + <!-- + This wpt should run on an origin different from https://www1.web-platform.test:8444/, + from where cross-orign WebBundles are served. + + This test uses a cross-origin WebBundle, + https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn, + which is served with an Access-Control-Allow-Origin response header. + + `corp.wbn` includes three subresources: + a. `no-corp.js`, which doesn't include a Cross-Origin-Resource-Policy response header. + b. `corp-same-origin.js`, which includes a Cross-Origin-Resource-Policy: same-origin response header. + c. `corp-cross-origin.js`, which includes a Cross-Origin-Resource-Policy: cross-origin response header. + --> + <script type="webbundle"> + { + "source": "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn", + "resources": [ + "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/no-corp.js", + "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-same-origin.js", + "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js", + "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93", + "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34", + "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7" + ] + } + </script> + <script> + setup(() => { + assert_true(HTMLScriptElement.supports("webbundle")); + }); + + async function expectCOEPReport(func) { + const reportsPromise = new Promise((resolve) => { + const observer = new ReportingObserver((reports) => { + observer.disconnect(); + resolve(reports.map((r) => r.toJSON())); + }); + observer.observe(); + }); + + await func(); + + const reports = await reportsPromise; + assert_equals(reports.length, 1); + assert_equals(reports[0].type, "coep"); + assert_equals(reports[0].url, location.href); + return reports[0]; + } + + const prefix = + "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/"; + const no_corp_url = "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93"; + const corp_same_origin_url = + "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34"; + const corp_cross_origin_url = + "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7"; + + promise_test(async () => { + const report = await expectCOEPReport(async () => { + await addScriptAndWaitForError(prefix + "no-corp.js"); + }); + assert_equals(report.body.blockedURL, prefix + "no-corp.js"); + assert_equals(report.body.type, "corp"); + assert_equals(report.body.disposition, "enforce"); + assert_equals(report.body.destination, "script"); + }, "Cross-origin subresource without Cross-Origin-Resource-Policy: header should be blocked and generate a report."); + + promise_test(async () => { + await addScriptAndWaitForError(prefix + "corp-same-origin.js"); + }, "Cross-origin subresource with Cross-Origin-Resource-Policy: same-origin should be blocked."); + + promise_test(async () => { + await addScriptAndWaitForExecution(prefix + "corp-cross-origin.js"); + }, "Cross-origin subresource with Cross-Origin-Resource-Policy: cross-origin should be loaded."); + + promise_test(async () => { + const report = await expectCOEPReport(async () => { + const iframe = document.createElement("iframe"); + iframe.src = no_corp_url; + document.body.appendChild(iframe); + }); + + assert_equals(report.body.blockedURL, no_corp_url); + assert_equals(report.body.type, "corp"); + assert_equals(report.body.disposition, "enforce"); + assert_equals(report.body.destination, "iframe"); + }, "uuid-in-package iframe without Cross-Origin-Resource-Policy: header should be blocked and generate a report."); + + promise_test(async () => { + const report = await expectCOEPReport(async () => { + const iframe = document.createElement("iframe"); + iframe.src = corp_same_origin_url; + document.body.appendChild(iframe); + }); + + assert_equals(report.body.blockedURL, corp_same_origin_url); + assert_equals(report.body.type, "corp"); + assert_equals(report.body.disposition, "enforce"); + assert_equals(report.body.destination, "iframe"); + }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: same-origin should be blocked and generate a report."); + + promise_test(async () => { + const iframe = document.createElement("iframe"); + iframe.src = corp_cross_origin_url; + await addElementAndWaitForLoad(iframe); + assert_equals( + await evalInIframe(iframe, "location.href"), + corp_cross_origin_url + ); + }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: cross-origin should not be blocked."); + </script> +</body> |