diff options
Diffstat (limited to 'testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html')
| -rw-r--r-- | testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html | 173 |
1 files changed, 173 insertions, 0 deletions
diff --git a/testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html b/testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html new file mode 100644 index 0000000000..37efc37e6d --- /dev/null +++ b/testing/web-platform/tests/web-bundle/subresource-loading/credentials.https.tentative.sub.html @@ -0,0 +1,173 @@ +<!DOCTYPE html> +<title>Credentials in WebBundle subresource loading</title> +<link + rel="help" + href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md#requests-mode-and-credentials-mode" +/> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="../resources/test-helpers.js"></script> +<body> + <script> + // In this wpt, we test a request's credential mode, which controls + // whether UA sends a credential or not to fetch a bundle. + + // If UA sends a credential, check-cookie-and-return-{cross-oriigin}-bundle.py + // returns a valid format webbundle. Then, a subresource fetch should be successful. + // Otherwise, a subresource fetch should be rejected. + + setup(() => { + assert_true(HTMLScriptElement.supports("webbundle")); + }); + + document.cookie = "milk=1; path=/"; + + // Make sure to set a cookie for a cross-origin domain from where a cross + // origin bundle is served. + const setCookiePromise = fetch( + "https://{{domains[www1]}}:{{ports[https][0]}}/cookies/resources/set-cookie.py?name=milk&path=/web-bundle/resources/", + { + mode: "no-cors", + credentials: "include", + } + ); + + const same_origin_bundle = "../resources/check-cookie-and-return-bundle.py"; + const cross_origin_bundle = + "https://{{domains[www1]}}:{{ports[https][0]}}/web-bundle/resources/check-cookie-and-return-bundle.py?bundle=cross-origin"; + + const same_origin_bundle_subresource = "../resources/wbn/root.js"; + const cross_origin_bundle_subresource = + "https://{{domains[www1]}}:{{ports[https][0]}}/web-bundle/resources/wbn/simple-cross-origin.txt"; + + async function assertSubresourceCanBeFetched() { + const response = await fetch(same_origin_bundle_subresource); + const text = await response.text(); + assert_equals(text, "export * from './submodule.js';\n"); + } + + async function assertCrossOriginSubresourceCanBeFetched() { + const response = await fetch(cross_origin_bundle_subresource); + const text = await response.text(); + assert_equals(text, "hello from simple-cross-origin.txt"); + } + + function createScriptWebBundle(credentials) { + const options = {}; + if (credentials) { + options.credentials = credentials; + } + return createWebBundleElement( + same_origin_bundle, + [same_origin_bundle_subresource], + options + ); + } + + function createScriptWebBundleCrossOrigin(credentials) { + const options = {}; + if (credentials) { + options.credentials = credentials; + } + return createWebBundleElement( + cross_origin_bundle, + [cross_origin_bundle_subresource], + options + ); + } + + promise_test(async (t) => { + const script = createScriptWebBundle(); + document.body.append(script); + t.add_cleanup(() => script.remove()); + + await assertSubresourceCanBeFetched(); + }, "The default should send a credential to a same origin bundle"); + + promise_test(async (t) => { + const script = createScriptWebBundle("invalid"); + document.body.append(script); + t.add_cleanup(() => script.remove()); + + await assertSubresourceCanBeFetched(); + }, "An invalid value should send a credential to a same origin bundle"); + + promise_test(async (t) => { + const script = createScriptWebBundle("omit"); + document.body.append(script); + t.add_cleanup(() => script.remove()); + + return promise_rejects_js( + t, + TypeError, + fetch(same_origin_bundle_subresource) + ); + }, "'omit' should not send a credential to a same origin bundle"); + + promise_test(async (t) => { + const script = createScriptWebBundle("same-origin"); + document.body.append(script); + t.add_cleanup(() => script.remove()); + + await assertSubresourceCanBeFetched(); + }, "'same-origin' should send a credential to a same origin bundle"); + + promise_test(async (t) => { + const script = createScriptWebBundle("include"); + document.body.append(script); + t.add_cleanup(() => script.remove()); + + await assertSubresourceCanBeFetched(); + }, "'include' should send a credential to a same origin bundle"); + + promise_test(async (t) => { + await setCookiePromise; + + const script = createScriptWebBundleCrossOrigin("omit"); + document.body.append(script); + t.add_cleanup(() => script.remove()); + + return promise_rejects_js( + t, + TypeError, + fetch(cross_origin_bundle_subresource) + ); + }, "'omit' should not send a credential to a cross origin bundle"); + + promise_test(async (t) => { + await setCookiePromise; + + const script = createScriptWebBundleCrossOrigin("same-origin"); + document.body.append(script); + t.add_cleanup(() => script.remove()); + + return promise_rejects_js( + t, + TypeError, + fetch(cross_origin_bundle_subresource) + ); + }, "'same-origin' should not send a credential to a cross origin bundle"); + + promise_test(async (t) => { + await setCookiePromise; + + const script = createScriptWebBundleCrossOrigin("include"); + document.body.append(script); + t.add_cleanup(() => script.remove()); + + await assertCrossOriginSubresourceCanBeFetched(); + }, "'include' should send a credential to a cross origin bundle"); + + promise_test(async (t) => { + const script = createScriptWebBundleCrossOrigin("invalid"); + document.body.append(script); + t.add_cleanup(() => script.remove()); + + return promise_rejects_js( + t, + TypeError, + fetch(cross_origin_bundle_subresource) + ); + }, "An invalid value should not send a credential to a cross origin bundle"); + </script> +</body> |