third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-response-taint.html - Issue 1762893002: Reland of Set the request mode and the credentials mode of FetchEvent in the service worker correct…

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-response-taint.html

Issue 1762893002: Reland of Set the request mode and the credentials mode of FetchEvent in the service worker correct… (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Taint the response from SW Created 4 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-request-resources.html ('k') | third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-request-resources-iframe.html » ('j') | third_party/WebKit/Source/modules/fetch/FetchManager.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 <!DOCTYPE html>

	2 <title>Service Worker: Tainting of responses fetched via SW.</title>

	3 <script src="../resources/testharness.js"></script>

	4 <script src="../resources/testharnessreport.js"></script>

	5 <script src="../resources/get-host-info.js?pipe=sub"></script>

	6 <script src="resources/test-helpers.js"></script>

	7 <body>

	8 <script>

	9 var host_info = get_host_info();

	10 var BASE_ORIGIN = host_info.HTTP_ORIGIN;

	11 var OTHER_ORIGIN = host_info.HTTP_REMOTE_ORIGIN;

	12 var BASE_URL = BASE_ORIGIN +

	13 '/serviceworker/resources/fetch-access-control.php?';
	tyoshino (SeeGerritForStatus) 2016/03/07 14:48:22 you could use base_path() if you think the relativ you could use base_path() if you think the relative path between fetch-access-control.php and this would be stable. horo 2016/03/08 03:11:01 Done. Show quoted text On 2016/03/07 14:48:22, tyoshino wrote: > you could use base_path() if you think the relative path between > fetch-access-control.php and this would be stable. Done.
	14 var OTHER_BASE_URL = OTHER_ORIGIN +

	15 '/serviceworker/resources/fetch-access-control.php?';

	16

	17 function frame_fetch(frame, url, mode, credentials) {

	18 return frame.contentWindow.fetch(

	19 new Request(url, {mode: mode, credentials: credentials}));

	20 }

	21

	22 function ng_test(frame, url, mode, credentials) {

	23 return frame_fetch(frame, url, mode, credentials).then(

	24 function() {

	25 throw new Error('fetching url:\"' + url + '\" mode:\"' + mode +

	26 '\" credentials:\"' + credentials + '\" should fail.');

	27 },

	28 function() {});

	29 }

	30

	31 function ok_test(frame, url, mode, credentials, expected_type,

	32 expected_username) {

	33 return frame_fetch(frame, url, mode, credentials)

	34 .then(function(res) {

	35 assert_equals(res.type, expected_type);

	36 return res.text();

	37 })

	38 .then(function(text) {

	39 if (expected_type == 'opaque') {

	40 assert_equals(text, '');

	41 } else {

	42 return new Promise(function(resolve) {

	43 var report = resolve;

	44 // text must contain report() call.

	45 eval(text);

	46 })

	47 .then(function(result) {

	48 assert_equals(result.username, expected_username);

	49 });

	50 }

	51 })

	52 .catch(function(reason) {

	53 throw new Error('fetching url:\"' + url + '\" mode:\"' + mode +

	54 '\" credentials:\"' + credentials + '\" should ' +

	55 'success. - ' + reason.message);

	56 });

	57 }

	58

	59 function rewrite_url(origin, url, mode, credentials) {
	tyoshino (SeeGerritForStatus) 2016/03/07 14:48:22 naming this "build_rewrite_url" would be slightly naming this "build_rewrite_url" would be slightly more readable, I think. horo 2016/03/08 03:11:01 Done. Show quoted text On 2016/03/07 14:48:22, tyoshino wrote: > naming this "build_rewrite_url" would be slightly more readable, I think. Done.
	60 return origin + '/?url=' + encodeURIComponent(url) + '&mode=' + mode +

	61 '&credentials=' + credentials + '&';

	62 }

	63

	64 function for_each_origin_mode_credentials(callback) {

	65 [BASE_ORIGIN, OTHER_ORIGIN].forEach(function(origin) {

	66 ['same-origin', 'no-cors', 'cors'].forEach(function(mode) {

	67 ['omit', 'same-origin', 'include'].forEach(function(credentials) {

	68 callback(origin, mode, credentials);

	69 });

	70 });

	71 });

	72 }

	73

	74 promise_test(function(t) {

	75 var SCOPE = 'resources/fetch-response-taint-iframe.html';

	76 var SCRIPT = 'resources/fetch-rewrite-worker.js';

	77 var frame = undefined;

	78

	79 return login(t, host_info.HTTP_ORIGIN, host_info.HTTP_REMOTE_ORIGIN)

	80 .then(function() {

	81 return service_worker_unregister_and_register(t, SCRIPT, SCOPE);

	82 })

	83 .then(function(registration) {

	84 return wait_for_state(t, registration.installing, 'activated');

	85 })

	86 .then(function() { return with_iframe(SCOPE); })

	87 .then(function(f) {

	88 frame = f;

	89 var promises = [

	90 ok_test(f, BASE_URL, 'same-origin', 'omit', 'basic', 'undefined'),

	91 ok_test(f, BASE_URL, 'same-origin', 'same-origin', 'basic',

	92 'username1'),

	93 ok_test(f, BASE_URL, 'same-origin', 'include', 'basic',

	94 'username1'),

	95 ok_test(f, BASE_URL, 'no-cors', 'omit', 'basic', 'undefined'),

	96 ok_test(f, BASE_URL, 'no-cors', 'same-origin', 'basic',

	97 'username1'),

	98 ok_test(f, BASE_URL, 'no-cors', 'include', 'basic', 'username1'),

	99 ok_test(f, BASE_URL, 'cors', 'omit', 'basic', 'undefined'),

	100 ok_test(f, BASE_URL, 'cors', 'same-origin', 'basic', 'username1'),

	101 ok_test(f, BASE_URL, 'cors', 'include', 'basic', 'username1'),

	102 ng_test(f, OTHER_BASE_URL, 'same-origin', 'omit'),

	103 ng_test(f, OTHER_BASE_URL, 'same-origin', 'same-origin'),

	104 ng_test(f, OTHER_BASE_URL, 'same-origin', 'include'),

	105 ok_test(f, OTHER_BASE_URL, 'no-cors', 'omit', 'opaque'),

	106 ok_test(f, OTHER_BASE_URL, 'no-cors', 'same-origin', 'opaque'),

	107 ok_test(f, OTHER_BASE_URL, 'no-cors', 'include', 'opaque'),

	108 ng_test(f, OTHER_BASE_URL, 'cors', 'omit'),

	109 ng_test(f, OTHER_BASE_URL, 'cors', 'same-origin'),

	110 ng_test(f, OTHER_BASE_URL, 'cors', 'include'),

	111 ok_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'omit', 'cors',

	112 'undefined'),

	113 ok_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'same-origin',

	114 'cors', 'undefined'),

	115 ng_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'include'),

	116 ok_test(f,

	117 OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN +

	118 '&ACACredentials=true',

	119 'cors', 'include', 'cors', 'username2')

	120 ];

	121

	122 for_each_origin_mode_credentials(function(origin, mode, credentials) {

	123 var url = rewrite_url(origin, BASE_URL, 'same-origin', 'omit');

	124 // Fetch to the other origin with same-origin mode should fail.

	125 if (origin == OTHER_ORIGIN && mode == 'same-origin')

	126 return promises.push(ng_test(f, url, mode, credentials));

	127 // The response type from the SW should be basic

	128 promises.push(

	129 ok_test(f, url, mode, credentials, 'basic', 'undefined'));

	130 });

	131

	132 for_each_origin_mode_credentials(function(origin, mode, credentials) {

	133 var url = rewrite_url(origin, BASE_URL, 'same-origin',

	134 'same-origin');

	135 // Fetch to the other origin with same-origin mode should fail.

	136 if (origin == OTHER_ORIGIN && mode == 'same-origin')

	137 return promises.push(ng_test(f, url, mode, credentials));

	138 // The response type from the SW should be basic.

	139 promises.push(

	140 ok_test(f, url, mode, credentials, 'basic', 'username1'));

	141 });

	142

	143 for_each_origin_mode_credentials(function(origin, mode, credentials) {

	144 var url = rewrite_url(origin, OTHER_BASE_URL, 'same-origin',

	145 'omit');

	146 // The response from the SW should be an error.

	147 promises.push(ng_test(f, url, mode, credentials));

	148 });

	149

	150 for_each_origin_mode_credentials(function(origin, mode, credentials) {

	151 var url = rewrite_url(origin, OTHER_BASE_URL, 'no-cors', 'omit');

	152 // SW can respond only to no-cors requests.

	153 if (mode != 'no-cors')

	154 return promises.push(ng_test(f, url, mode, credentials));

	155 // The response type from the SW should be opaque.

	156 promises.push(ok_test(f, url, mode, credentials, 'opaque'));

	157 });

	158

	159 for_each_origin_mode_credentials(function(origin, mode, credentials) {

	160 var url = rewrite_url(origin, OTHER_BASE_URL + 'ACAOrigin=*',

	161 'cors', 'omit');

	162 // Fetch to the other origin with same-origin mode should fail.

	163 if (origin == OTHER_ORIGIN && mode == 'same-origin')

	164 return promises.push(ng_test(f, url, mode, credentials));

	165 // The response from the SW should be cors.

	166 promises.push(

	167 ok_test(f, url, mode, credentials, 'cors', 'undefined'));

	168 });

	169

	170 for_each_origin_mode_credentials(function(origin, mode, credentials) {

	171 var url = rewrite_url(

	172 origin,

	173 OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN +

	174 '&ACACredentials=true',

	175 'cors', 'include');

	176 // Fetch to the other origin with same-origin mode should fail.

	177 if (origin == OTHER_ORIGIN && mode == 'same-origin')

	178 return promises.push(ng_test(f, url, mode, credentials));

	179 // The response from the SW should be cors.

	180 promises.push(

	181 ok_test(f, url, mode, credentials, 'cors', 'username2'));

	182 });

	183 return Promise.all(promises);

	184 })

	185 .then(function(f) {

	186 frame.remove()

	187 })

	188 .catch(unreached_rejection(t));

	189 }, 'Verify the tainting of responses fetched via SW');

	190 </script>

	191 </body>

OLD	NEW