Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(336)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-response-taint.html

Issue 1762893002: Reland of Set the request mode and the credentials mode of FetchEvent in the service worker correct… (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Taint the response from SW Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-request-resources.html ('k') | third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-request-resources-iframe.html » ('j') | third_party/WebKit/Source/modules/fetch/FetchManager.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-response-taint.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-response-taint.html b/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-response-taint.html
new file mode 100644
index 0000000000000000000000000000000000000000..8aac744dd79752238f732e4680bedf3a673f7a63
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-response-taint.html
@@ -0,0 +1,191 @@
+<!DOCTYPE html>
+<title>Service Worker: Tainting of responses fetched via SW.</title>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+<script src="../resources/get-host-info.js?pipe=sub"></script>
+<script src="resources/test-helpers.js"></script>
+<body>
+<script>
+var host_info = get_host_info();
+var BASE_ORIGIN = host_info.HTTP_ORIGIN;
+var OTHER_ORIGIN = host_info.HTTP_REMOTE_ORIGIN;
+var BASE_URL = BASE_ORIGIN +
+ '/serviceworker/resources/fetch-access-control.php?';
tyoshino (SeeGerritForStatus) 2016/03/07 14:48:22 you could use base_path() if you think the relativ
horo 2016/03/08 03:11:01 Done.
+var OTHER_BASE_URL = OTHER_ORIGIN +
+ '/serviceworker/resources/fetch-access-control.php?';
+
+function frame_fetch(frame, url, mode, credentials) {
+ return frame.contentWindow.fetch(
+ new Request(url, {mode: mode, credentials: credentials}));
+}
+
+function ng_test(frame, url, mode, credentials) {
+ return frame_fetch(frame, url, mode, credentials).then(
+ function() {
+ throw new Error('fetching url:\"' + url + '\" mode:\"' + mode +
+ '\" credentials:\"' + credentials + '\" should fail.');
+ },
+ function() {});
+}
+
+function ok_test(frame, url, mode, credentials, expected_type,
+ expected_username) {
+ return frame_fetch(frame, url, mode, credentials)
+ .then(function(res) {
+ assert_equals(res.type, expected_type);
+ return res.text();
+ })
+ .then(function(text) {
+ if (expected_type == 'opaque') {
+ assert_equals(text, '');
+ } else {
+ return new Promise(function(resolve) {
+ var report = resolve;
+ // text must contain report() call.
+ eval(text);
+ })
+ .then(function(result) {
+ assert_equals(result.username, expected_username);
+ });
+ }
+ })
+ .catch(function(reason) {
+ throw new Error('fetching url:\"' + url + '\" mode:\"' + mode +
+ '\" credentials:\"' + credentials + '\" should ' +
+ 'success. - ' + reason.message);
+ });
+}
+
+function rewrite_url(origin, url, mode, credentials) {
tyoshino (SeeGerritForStatus) 2016/03/07 14:48:22 naming this "build_rewrite_url" would be slightly
horo 2016/03/08 03:11:01 Done.
+ return origin + '/?url=' + encodeURIComponent(url) + '&mode=' + mode +
+ '&credentials=' + credentials + '&';
+}
+
+function for_each_origin_mode_credentials(callback) {
+ [BASE_ORIGIN, OTHER_ORIGIN].forEach(function(origin) {
+ ['same-origin', 'no-cors', 'cors'].forEach(function(mode) {
+ ['omit', 'same-origin', 'include'].forEach(function(credentials) {
+ callback(origin, mode, credentials);
+ });
+ });
+ });
+}
+
+promise_test(function(t) {
+ var SCOPE = 'resources/fetch-response-taint-iframe.html';
+ var SCRIPT = 'resources/fetch-rewrite-worker.js';
+ var frame = undefined;
+
+ return login(t, host_info.HTTP_ORIGIN, host_info.HTTP_REMOTE_ORIGIN)
+ .then(function() {
+ return service_worker_unregister_and_register(t, SCRIPT, SCOPE);
+ })
+ .then(function(registration) {
+ return wait_for_state(t, registration.installing, 'activated');
+ })
+ .then(function() { return with_iframe(SCOPE); })
+ .then(function(f) {
+ frame = f;
+ var promises = [
+ ok_test(f, BASE_URL, 'same-origin', 'omit', 'basic', 'undefined'),
+ ok_test(f, BASE_URL, 'same-origin', 'same-origin', 'basic',
+ 'username1'),
+ ok_test(f, BASE_URL, 'same-origin', 'include', 'basic',
+ 'username1'),
+ ok_test(f, BASE_URL, 'no-cors', 'omit', 'basic', 'undefined'),
+ ok_test(f, BASE_URL, 'no-cors', 'same-origin', 'basic',
+ 'username1'),
+ ok_test(f, BASE_URL, 'no-cors', 'include', 'basic', 'username1'),
+ ok_test(f, BASE_URL, 'cors', 'omit', 'basic', 'undefined'),
+ ok_test(f, BASE_URL, 'cors', 'same-origin', 'basic', 'username1'),
+ ok_test(f, BASE_URL, 'cors', 'include', 'basic', 'username1'),
+ ng_test(f, OTHER_BASE_URL, 'same-origin', 'omit'),
+ ng_test(f, OTHER_BASE_URL, 'same-origin', 'same-origin'),
+ ng_test(f, OTHER_BASE_URL, 'same-origin', 'include'),
+ ok_test(f, OTHER_BASE_URL, 'no-cors', 'omit', 'opaque'),
+ ok_test(f, OTHER_BASE_URL, 'no-cors', 'same-origin', 'opaque'),
+ ok_test(f, OTHER_BASE_URL, 'no-cors', 'include', 'opaque'),
+ ng_test(f, OTHER_BASE_URL, 'cors', 'omit'),
+ ng_test(f, OTHER_BASE_URL, 'cors', 'same-origin'),
+ ng_test(f, OTHER_BASE_URL, 'cors', 'include'),
+ ok_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'omit', 'cors',
+ 'undefined'),
+ ok_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'same-origin',
+ 'cors', 'undefined'),
+ ng_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'include'),
+ ok_test(f,
+ OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN +
+ '&ACACredentials=true',
+ 'cors', 'include', 'cors', 'username2')
+ ];
+
+ for_each_origin_mode_credentials(function(origin, mode, credentials) {
+ var url = rewrite_url(origin, BASE_URL, 'same-origin', 'omit');
+ // Fetch to the other origin with same-origin mode should fail.
+ if (origin == OTHER_ORIGIN && mode == 'same-origin')
+ return promises.push(ng_test(f, url, mode, credentials));
+ // The response type from the SW should be basic
+ promises.push(
+ ok_test(f, url, mode, credentials, 'basic', 'undefined'));
+ });
+
+ for_each_origin_mode_credentials(function(origin, mode, credentials) {
+ var url = rewrite_url(origin, BASE_URL, 'same-origin',
+ 'same-origin');
+ // Fetch to the other origin with same-origin mode should fail.
+ if (origin == OTHER_ORIGIN && mode == 'same-origin')
+ return promises.push(ng_test(f, url, mode, credentials));
+ // The response type from the SW should be basic.
+ promises.push(
+ ok_test(f, url, mode, credentials, 'basic', 'username1'));
+ });
+
+ for_each_origin_mode_credentials(function(origin, mode, credentials) {
+ var url = rewrite_url(origin, OTHER_BASE_URL, 'same-origin',
+ 'omit');
+ // The response from the SW should be an error.
+ promises.push(ng_test(f, url, mode, credentials));
+ });
+
+ for_each_origin_mode_credentials(function(origin, mode, credentials) {
+ var url = rewrite_url(origin, OTHER_BASE_URL, 'no-cors', 'omit');
+ // SW can respond only to no-cors requests.
+ if (mode != 'no-cors')
+ return promises.push(ng_test(f, url, mode, credentials));
+ // The response type from the SW should be opaque.
+ promises.push(ok_test(f, url, mode, credentials, 'opaque'));
+ });
+
+ for_each_origin_mode_credentials(function(origin, mode, credentials) {
+ var url = rewrite_url(origin, OTHER_BASE_URL + 'ACAOrigin=*',
+ 'cors', 'omit');
+ // Fetch to the other origin with same-origin mode should fail.
+ if (origin == OTHER_ORIGIN && mode == 'same-origin')
+ return promises.push(ng_test(f, url, mode, credentials));
+ // The response from the SW should be cors.
+ promises.push(
+ ok_test(f, url, mode, credentials, 'cors', 'undefined'));
+ });
+
+ for_each_origin_mode_credentials(function(origin, mode, credentials) {
+ var url = rewrite_url(
+ origin,
+ OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN +
+ '&ACACredentials=true',
+ 'cors', 'include');
+ // Fetch to the other origin with same-origin mode should fail.
+ if (origin == OTHER_ORIGIN && mode == 'same-origin')
+ return promises.push(ng_test(f, url, mode, credentials));
+ // The response from the SW should be cors.
+ promises.push(
+ ok_test(f, url, mode, credentials, 'cors', 'username2'));
+ });
+ return Promise.all(promises);
+ })
+ .then(function(f) {
+ frame.remove()
+ })
+ .catch(unreached_rejection(t));
+ }, 'Verify the tainting of responses fetched via SW');
+</script>
+</body>
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-request-resources.html ('k') | third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-request-resources-iframe.html » ('j') | third_party/WebKit/Source/modules/fetch/FetchManager.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698