summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html')
-rw-r--r--testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html173
1 files changed, 173 insertions, 0 deletions
diff --git a/testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html b/testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html
new file mode 100644
index 0000000000..37efc37e6d
--- /dev/null
+++ b/testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html
@@ -0,0 +1,173 @@
+<!DOCTYPE html>
+<title>Credentials in WebBundle subresource loading</title>
+<link
+ rel="help"
+ href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md#requests-mode-and-credentials-mode"
+/>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/test-helpers.js"></script>
+<body>
+ <script>
+ // In this wpt, we test a request's credential mode, which controls
+ // whether UA sends a credential or not to fetch a bundle.
+
+ // If UA sends a credential, check-cookie-and-return-{cross-oriigin}-bundle.py
+ // returns a valid format webbundle. Then, a subresource fetch should be successful.
+ // Otherwise, a subresource fetch should be rejected.
+
+ setup(() => {
+ assert_true(HTMLScriptElement.supports("webbundle"));
+ });
+
+ document.cookie = "milk=1; path=/";
+
+ // Make sure to set a cookie for a cross-origin domain from where a cross
+ // origin bundle is served.
+ const setCookiePromise = fetch(
+ "https://{{domains[www1]}}:{{ports[https][0]}}/cookies/resources/set-cookie.py?name=milk&path=/web-bundle/resources/",
+ {
+ mode: "no-cors",
+ credentials: "include",
+ }
+ );
+
+ const same_origin_bundle = "../resources/check-cookie-and-return-bundle.py";
+ const cross_origin_bundle =
+ "https://{{domains[www1]}}:{{ports[https][0]}}/web-bundle/resources/check-cookie-and-return-bundle.py?bundle=cross-origin";
+
+ const same_origin_bundle_subresource = "../resources/wbn/root.js";
+ const cross_origin_bundle_subresource =
+ "https://{{domains[www1]}}:{{ports[https][0]}}/web-bundle/resources/wbn/simple-cross-origin.txt";
+
+ async function assertSubresourceCanBeFetched() {
+ const response = await fetch(same_origin_bundle_subresource);
+ const text = await response.text();
+ assert_equals(text, "export * from './submodule.js';\n");
+ }
+
+ async function assertCrossOriginSubresourceCanBeFetched() {
+ const response = await fetch(cross_origin_bundle_subresource);
+ const text = await response.text();
+ assert_equals(text, "hello from simple-cross-origin.txt");
+ }
+
+ function createScriptWebBundle(credentials) {
+ const options = {};
+ if (credentials) {
+ options.credentials = credentials;
+ }
+ return createWebBundleElement(
+ same_origin_bundle,
+ [same_origin_bundle_subresource],
+ options
+ );
+ }
+
+ function createScriptWebBundleCrossOrigin(credentials) {
+ const options = {};
+ if (credentials) {
+ options.credentials = credentials;
+ }
+ return createWebBundleElement(
+ cross_origin_bundle,
+ [cross_origin_bundle_subresource],
+ options
+ );
+ }
+
+ promise_test(async (t) => {
+ const script = createScriptWebBundle();
+ document.body.append(script);
+ t.add_cleanup(() => script.remove());
+
+ await assertSubresourceCanBeFetched();
+ }, "The default should send a credential to a same origin bundle");
+
+ promise_test(async (t) => {
+ const script = createScriptWebBundle("invalid");
+ document.body.append(script);
+ t.add_cleanup(() => script.remove());
+
+ await assertSubresourceCanBeFetched();
+ }, "An invalid value should send a credential to a same origin bundle");
+
+ promise_test(async (t) => {
+ const script = createScriptWebBundle("omit");
+ document.body.append(script);
+ t.add_cleanup(() => script.remove());
+
+ return promise_rejects_js(
+ t,
+ TypeError,
+ fetch(same_origin_bundle_subresource)
+ );
+ }, "'omit' should not send a credential to a same origin bundle");
+
+ promise_test(async (t) => {
+ const script = createScriptWebBundle("same-origin");
+ document.body.append(script);
+ t.add_cleanup(() => script.remove());
+
+ await assertSubresourceCanBeFetched();
+ }, "'same-origin' should send a credential to a same origin bundle");
+
+ promise_test(async (t) => {
+ const script = createScriptWebBundle("include");
+ document.body.append(script);
+ t.add_cleanup(() => script.remove());
+
+ await assertSubresourceCanBeFetched();
+ }, "'include' should send a credential to a same origin bundle");
+
+ promise_test(async (t) => {
+ await setCookiePromise;
+
+ const script = createScriptWebBundleCrossOrigin("omit");
+ document.body.append(script);
+ t.add_cleanup(() => script.remove());
+
+ return promise_rejects_js(
+ t,
+ TypeError,
+ fetch(cross_origin_bundle_subresource)
+ );
+ }, "'omit' should not send a credential to a cross origin bundle");
+
+ promise_test(async (t) => {
+ await setCookiePromise;
+
+ const script = createScriptWebBundleCrossOrigin("same-origin");
+ document.body.append(script);
+ t.add_cleanup(() => script.remove());
+
+ return promise_rejects_js(
+ t,
+ TypeError,
+ fetch(cross_origin_bundle_subresource)
+ );
+ }, "'same-origin' should not send a credential to a cross origin bundle");
+
+ promise_test(async (t) => {
+ await setCookiePromise;
+
+ const script = createScriptWebBundleCrossOrigin("include");
+ document.body.append(script);
+ t.add_cleanup(() => script.remove());
+
+ await assertCrossOriginSubresourceCanBeFetched();
+ }, "'include' should send a credential to a cross origin bundle");
+
+ promise_test(async (t) => {
+ const script = createScriptWebBundleCrossOrigin("invalid");
+ document.body.append(script);
+ t.add_cleanup(() => script.remove());
+
+ return promise_rejects_js(
+ t,
+ TypeError,
+ fetch(cross_origin_bundle_subresource)
+ );
+ }, "An invalid value should not send a credential to a cross origin bundle");
+ </script>
+</body>