1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
<!DOCTYPE html>
<title>CORP for WebBundle subresource loading</title>
<link
rel="help"
href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md#cors-and-corp-for-subresource-requests"
/>
<link
rel="help"
href="https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header"
/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="../resources/test-helpers.js"></script>
<body>
<!--
This wpt should run on an origin different from https://www1.web-platform.test:8444/,
from where cross-orign WebBundles are served.
This test uses a cross-origin WebBundle,
https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn,
which is served with an Access-Control-Allow-Origin response header.
`corp.wbn` includes three subresources:
a. `no-corp.js`, which doesn't include a Cross-Origin-Resource-Policy response header.
b. `corp-same-origin.js`, which includes a Cross-Origin-Resource-Policy: same-origin response header.
c. `corp-cross-origin.js`, which includes a Cross-Origin-Resource-Policy: cross-origin response header.
-->
<script type="webbundle">
{
"source": "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn",
"resources": [
"https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/no-corp.js",
"https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-same-origin.js",
"https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js",
"uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93",
"uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34",
"uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7"
]
}
</script>
<script>
setup(() => {
assert_true(HTMLScriptElement.supports("webbundle"));
});
promise_test(async () => {
const prefix =
"https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/";
await addScriptAndWaitForExecution(prefix + "no-corp.js");
await addScriptAndWaitForError(prefix + "corp-same-origin.js");
await addScriptAndWaitForExecution(prefix + "corp-cross-origin.js");
}, "Subresource loading from WebBundles should respect Cross-Origin-Resource-Policy header.");
promise_test(async () => {
const no_corp_url = "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93";
const corp_same_origin_url =
"uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34";
const corp_cross_origin_url =
"uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7";
await iframeLocationTest(no_corp_url);
await iframeLocationTest(corp_same_origin_url);
await iframeLocationTest(corp_cross_origin_url);
}, "uuid-in-package iframes should not be blocked regardless of the Cross-Origin-Resource-Policy header, if Cross-Origin-Embedder-Policy is not set.");
async function iframeLocationTest(url) {
const iframe = document.createElement("iframe");
iframe.src = url;
await addElementAndWaitForLoad(iframe);
assert_equals(await evalInIframe(iframe, "location.href"), url);
}
</script>
</body>
|
