testing/web-platform/tests/web-bundle/subresource-loading/coep.https.tentative.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

<!DOCTYPE html>
<title>COEP for WebBundle subresource loading</title>
<link
  rel="help"
  href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
/>
<link
  rel="help"
  href="https://html.spec.whatwg.org/multipage/origin.html#coep"
/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="../resources/test-helpers.js"></script>

<body>
  <!--
       This wpt should run on an origin different from https://www1.web-platform.test:8444/,
       from where cross-orign WebBundles are served.

       This test uses a cross-origin WebBundle,
       https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn,
       which is served with an Access-Control-Allow-Origin response header.

       `corp.wbn` includes three subresources:
       a. `no-corp.js`, which doesn't include a Cross-Origin-Resource-Policy response header.
       b. `corp-same-origin.js`, which includes a Cross-Origin-Resource-Policy: same-origin response header.
       c. `corp-cross-origin.js`, which includes a Cross-Origin-Resource-Policy: cross-origin response header.
  -->
  <script type="webbundle">
    {
      "source": "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn",
      "resources": [
        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/no-corp.js",
        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-same-origin.js",
        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js",
        "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93",
        "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34",
        "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7"
      ]
    }
  </script>
  <script>
    setup(() => {
      assert_true(HTMLScriptElement.supports("webbundle"));
    });

    async function expectCOEPReport(func) {
      const reportsPromise = new Promise((resolve) => {
        const observer = new ReportingObserver((reports) => {
          observer.disconnect();
          resolve(reports.map((r) => r.toJSON()));
        });
        observer.observe();
      });

      await func();

      const reports = await reportsPromise;
      assert_equals(reports.length, 1);
      assert_equals(reports[0].type, "coep");
      assert_equals(reports[0].url, location.href);
      return reports[0];
    }

    const prefix =
      "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/";
    const no_corp_url = "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93";
    const corp_same_origin_url =
      "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34";
    const corp_cross_origin_url =
      "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7";

    promise_test(async () => {
      const report = await expectCOEPReport(async () => {
        await addScriptAndWaitForError(prefix + "no-corp.js");
      });
      assert_equals(report.body.blockedURL, prefix + "no-corp.js");
      assert_equals(report.body.type, "corp");
      assert_equals(report.body.disposition, "enforce");
      assert_equals(report.body.destination, "script");
    }, "Cross-origin subresource without Cross-Origin-Resource-Policy: header should be blocked and generate a report.");

    promise_test(async () => {
      await addScriptAndWaitForError(prefix + "corp-same-origin.js");
    }, "Cross-origin subresource with Cross-Origin-Resource-Policy: same-origin should be blocked.");

    promise_test(async () => {
      await addScriptAndWaitForExecution(prefix + "corp-cross-origin.js");
    }, "Cross-origin subresource with Cross-Origin-Resource-Policy: cross-origin should be loaded.");

    promise_test(async () => {
      const report = await expectCOEPReport(async () => {
        const iframe = document.createElement("iframe");
        iframe.src = no_corp_url;
        document.body.appendChild(iframe);
      });

      assert_equals(report.body.blockedURL, no_corp_url);
      assert_equals(report.body.type, "corp");
      assert_equals(report.body.disposition, "enforce");
      assert_equals(report.body.destination, "iframe");
    }, "uuid-in-package iframe without Cross-Origin-Resource-Policy: header should be blocked and generate a report.");

    promise_test(async () => {
      const report = await expectCOEPReport(async () => {
        const iframe = document.createElement("iframe");
        iframe.src = corp_same_origin_url;
        document.body.appendChild(iframe);
      });

      assert_equals(report.body.blockedURL, corp_same_origin_url);
      assert_equals(report.body.type, "corp");
      assert_equals(report.body.disposition, "enforce");
      assert_equals(report.body.destination, "iframe");
    }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: same-origin should be blocked and generate a report.");

    promise_test(async () => {
      const iframe = document.createElement("iframe");
      iframe.src = corp_cross_origin_url;
      await addElementAndWaitForLoad(iframe);
      assert_equals(
        await evalInIframe(iframe, "location.href"),
        corp_cross_origin_url
      );
    }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: cross-origin should not be blocked.");
  </script>
</body>