| OLD | NEW |
|---|
| 1 if (self.importScripts) { | 1 if (self.importScripts) { |
| 2 importScripts('/fetch/resources/fetch-test-helpers.js'); | 2 importScripts('/fetch/resources/fetch-test-helpers.js'); |
| 3 importScripts('/fetch/resources/thorough-util.js'); | 3 importScripts('/fetch/resources/thorough-util.js'); |
| 4 } | 4 } |
| 5 | 5 |
| 6 var TEST_TARGETS = [ | 6 var TEST_TARGETS = [ |
| 7 // Redirects to URLs with username/password. | 7 // Redirects to URLs with username/password; these requests are blocked. |
| 8 // Spec: https://fetch.spec.whatwg.org/#concept-http-fetch | 8 // |
| 9 // Spec: https://github.com/whatwg/fetch/pull/465 |
| 9 // Step 5, redirect status, Step 10.1 and 10.2: | 10 // Step 5, redirect status, Step 10.1 and 10.2: |
| 10 // "If |request|'s mode is "cors", |request|'s origin is not same origin with | 11 // "If |request|'s mode is "cors", |request|'s origin is not same origin with |
| 11 // |locationURL|'s origin, and |locationURL| includes credentials, return a | 12 // |locationURL|'s origin, and |locationURL| includes credentials, return a |
| 12 // network error." | 13 // network error." |
| 13 // "If the CORS flag is set and |locationURL| includes credentials, return | 14 // "If the CORS flag is set and |locationURL| includes credentials, return |
| 14 // a network error." | 15 // a network error." |
| 15 | 16 |
| 16 // Origin A -[fetch]-> Origin A -[redirect]-> Origin A | 17 // Origin A -[fetch]-> Origin A -[redirect]-> Origin A |
| 17 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) + | 18 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) + |
| 18 '&mode=same-origin&method=GET', | 19 '&mode=same-origin&method=GET', |
| 19 [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic, | 20 [fetchRejected]], |
| 20 responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_USERNAME])], | |
| 21 [methodIsGET]], | |
| 22 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) + | 21 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) + |
| 23 '&mode=same-origin&method=GET', | 22 '&mode=same-origin&method=GET', |
| 24 [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic, | 23 [fetchRejected]], |
| 25 responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_PASSWORD])], | |
| 26 [methodIsGET]], | |
| 27 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) + | 24 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) + |
| 28 '&mode=cors&method=GET', | 25 '&mode=cors&method=GET', |
| 29 [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic, | 26 [fetchRejected]], |
| 30 responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_USERNAME])], | |
| 31 [methodIsGET]], | |
| 32 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) + | 27 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) + |
| 33 '&mode=cors&method=GET', | 28 '&mode=cors&method=GET', |
| 34 [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic, | 29 [fetchRejected]], |
| 35 responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_PASSWORD])], | |
| 36 [methodIsGET]], | |
| 37 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) + | 30 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) + |
| 38 '&mode=no-cors&method=GET', | 31 '&mode=no-cors&method=GET', |
| 39 [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic, | 32 [fetchRejected]], |
| 40 responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_USERNAME])], | |
| 41 [methodIsGET]], | |
| 42 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) + | 33 [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) + |
| 43 '&mode=no-cors&method=GET', | 34 '&mode=no-cors&method=GET', |
| 44 [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic, | 35 [fetchRejected]], |
| 45 responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_PASSWORD])], | |
| 46 [methodIsGET]], | |
| 47 | 36 |
| 48 // Origin A -[fetch]-> Origin A -[redirect]-> Origin B | 37 // Origin A -[fetch]-> Origin A -[redirect]-> Origin B |
| 49 [REDIRECT_URL + | 38 [REDIRECT_URL + |
| 50 encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + '&ACAOrigin=*') + | 39 encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + '&ACAOrigin=*') + |
| 51 '&mode=cors&method=GET', | 40 '&mode=cors&method=GET', |
| 52 [fetchRejected]], | 41 [fetchRejected]], |
| 53 [REDIRECT_URL + | 42 [REDIRECT_URL + |
| 54 encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + '&ACAOrigin=*') + | 43 encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + '&ACAOrigin=*') + |
| 55 '&mode=cors&method=GET', | 44 '&mode=cors&method=GET', |
| 56 [fetchRejected]], | 45 [fetchRejected]], |
| 57 [REDIRECT_URL + | 46 [REDIRECT_URL + |
| 58 encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + '&ACAOrigin=*') + | 47 encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + '&ACAOrigin=*') + |
| 59 '&mode=no-cors&method=GET', | 48 '&mode=no-cors&method=GET', |
| 60 [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque, | 49 [fetchRejected]], |
| 61 responseNotRedirected, | |
| 62 checkURLList.bind(self, [OTHER_BASE_URL_WITH_USERNAME + '&ACAOrigin=*'])], | |
| 63 onlyOnServiceWorkerProxiedTest([methodIsGET])], | |
| 64 [REDIRECT_URL + | 50 [REDIRECT_URL + |
| 65 encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + '&ACAOrigin=*') + | 51 encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + '&ACAOrigin=*') + |
| 66 '&mode=no-cors&method=GET', | 52 '&mode=no-cors&method=GET', |
| 67 [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque, | 53 [fetchRejected]], |
| 68 responseNotRedirected, | |
| 69 checkURLList.bind(self, [OTHER_BASE_URL_WITH_PASSWORD + '&ACAOrigin=*'])], | |
| 70 onlyOnServiceWorkerProxiedTest([methodIsGET])], | |
| 71 | 54 |
| 72 // Origin A -[fetch]-> Origin B -[redirect]-> Origin A | 55 // Origin A -[fetch]-> Origin B -[redirect]-> Origin A |
| 73 [OTHER_REDIRECT_URL + | 56 [OTHER_REDIRECT_URL + |
| 74 encodeURIComponent(BASE_URL_WITH_USERNAME + 'ACAOrigin=*') + | 57 encodeURIComponent(BASE_URL_WITH_USERNAME + 'ACAOrigin=*') + |
| 75 '&mode=cors&method=GET&ACAOrigin=*', | 58 '&mode=cors&method=GET&ACAOrigin=*', |
| 76 [fetchRejected]], | 59 [fetchRejected]], |
| 77 [OTHER_REDIRECT_URL + | 60 [OTHER_REDIRECT_URL + |
| 78 encodeURIComponent(BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') + | 61 encodeURIComponent(BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') + |
| 79 '&mode=cors&method=GET&ACAOrigin=*', | 62 '&mode=cors&method=GET&ACAOrigin=*', |
| 80 [fetchRejected]], | 63 [fetchRejected]], |
| 81 [OTHER_REDIRECT_URL + | 64 [OTHER_REDIRECT_URL + |
| 82 encodeURIComponent(BASE_URL_WITH_USERNAME + 'ACAOrigin=*') + | 65 encodeURIComponent(BASE_URL_WITH_USERNAME + 'ACAOrigin=*') + |
| 83 '&mode=no-cors&method=GET&ACAOrigin=*', | 66 '&mode=no-cors&method=GET&ACAOrigin=*', |
| 84 [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque, | 67 [fetchRejected]], |
| 85 responseNotRedirected, | |
| 86 checkURLList.bind(self, [BASE_URL_WITH_USERNAME + 'ACAOrigin=*'])], | |
| 87 onlyOnServiceWorkerProxiedTest([methodIsGET])], | |
| 88 [OTHER_REDIRECT_URL + | 68 [OTHER_REDIRECT_URL + |
| 89 encodeURIComponent(BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') + | 69 encodeURIComponent(BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') + |
| 90 '&mode=no-cors&method=GET&ACAOrigin=*', | 70 '&mode=no-cors&method=GET&ACAOrigin=*', |
| 91 [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque, | 71 [fetchRejected]], |
| 92 responseNotRedirected, | |
| 93 checkURLList.bind(self, [BASE_URL_WITH_PASSWORD + 'ACAOrigin=*'])], | |
| 94 onlyOnServiceWorkerProxiedTest([methodIsGET])], | |
| 95 | 72 |
| 96 // Origin A -[fetch]-> Origin B -[redirect]-> Origin B | 73 // Origin A -[fetch]-> Origin B -[redirect]-> Origin B |
| 97 [OTHER_REDIRECT_URL + | 74 [OTHER_REDIRECT_URL + |
| 98 encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + 'ACAOrigin=*') + | 75 encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + 'ACAOrigin=*') + |
| 99 '&mode=cors&method=GET&ACAOrigin=*', | 76 '&mode=cors&method=GET&ACAOrigin=*', |
| 100 [fetchRejected]], | 77 [fetchRejected]], |
| 101 [OTHER_REDIRECT_URL + | 78 [OTHER_REDIRECT_URL + |
| 102 encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') + | 79 encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') + |
| 103 '&mode=cors&method=GET&ACAOrigin=*', | 80 '&mode=cors&method=GET&ACAOrigin=*', |
| 104 [fetchRejected]], | 81 [fetchRejected]], |
| 105 [OTHER_REDIRECT_URL + | 82 [OTHER_REDIRECT_URL + |
| 106 encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + 'ACAOrigin=*') + | 83 encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + 'ACAOrigin=*') + |
| 107 '&mode=no-cors&method=GET&ACAOrigin=*', | 84 '&mode=no-cors&method=GET&ACAOrigin=*', |
| 108 [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque, | 85 [fetchRejected]], |
| 109 responseNotRedirected, | |
| 110 checkURLList.bind(self, [OTHER_BASE_URL_WITH_USERNAME + 'ACAOrigin=*'])], | |
| 111 onlyOnServiceWorkerProxiedTest([methodIsGET])], | |
| 112 [OTHER_REDIRECT_URL + | 86 [OTHER_REDIRECT_URL + |
| 113 encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') + | 87 encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') + |
| 114 '&mode=no-cors&method=GET&ACAOrigin=*', | 88 '&mode=no-cors&method=GET&ACAOrigin=*', |
| 115 [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque, | 89 [fetchRejected]], |
| 116 responseNotRedirected, | |
| 117 checkURLList.bind(self, [OTHER_BASE_URL_WITH_PASSWORD + 'ACAOrigin=*'])], | |
| 118 onlyOnServiceWorkerProxiedTest([methodIsGET])], | |
| 119 ]; | 90 ]; |
| 120 | 91 |
| 121 if (self.importScripts) { | 92 if (self.importScripts) { |
| 122 executeTests(TEST_TARGETS); | 93 executeTests(TEST_TARGETS); |
| 123 done(); | 94 done(); |
| 124 } | 95 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2651943002:
Block subresource requests whose URLs include credentials. (Closed)
