Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(5)

Unified Diff: third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js

Issue 2651943002: Block subresource requests whose URLs include credentials. (Closed)
Patch Set: Test. Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js
diff --git a/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js b/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js
index 6fbe5cc65077910fffa9c9e9a55ae88c8e1a7284..1bc0677f1fdaaa50301a5a3e15925df2c82d247a 100644
--- a/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js
+++ b/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js
@@ -4,8 +4,9 @@ if (self.importScripts) {
}
var TEST_TARGETS = [
- // Redirects to URLs with username/password.
- // Spec: https://fetch.spec.whatwg.org/#concept-http-fetch
+ // Redirects to URLs with username/password; these requests are blocked.
+ //
+ // Spec: https://github.com/whatwg/fetch/pull/465
// Step 5, redirect status, Step 10.1 and 10.2:
// "If |request|'s mode is "cors", |request|'s origin is not same origin with
// |locationURL|'s origin, and |locationURL| includes credentials, return a
@@ -16,34 +17,22 @@ var TEST_TARGETS = [
// Origin A -[fetch]-> Origin A -[redirect]-> Origin A
[REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) +
'&mode=same-origin&method=GET',
- [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
- responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_USERNAME])],
- [methodIsGET]],
+ [fetchRejected]],
[REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) +
'&mode=same-origin&method=GET',
- [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
- responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_PASSWORD])],
- [methodIsGET]],
+ [fetchRejected]],
[REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) +
'&mode=cors&method=GET',
- [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
- responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_USERNAME])],
- [methodIsGET]],
+ [fetchRejected]],
[REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) +
'&mode=cors&method=GET',
- [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
- responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_PASSWORD])],
- [methodIsGET]],
+ [fetchRejected]],
[REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) +
'&mode=no-cors&method=GET',
- [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
- responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_USERNAME])],
- [methodIsGET]],
+ [fetchRejected]],
[REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) +
'&mode=no-cors&method=GET',
- [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
- responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_PASSWORD])],
- [methodIsGET]],
+ [fetchRejected]],
// Origin A -[fetch]-> Origin A -[redirect]-> Origin B
[REDIRECT_URL +
@@ -57,17 +46,11 @@ var TEST_TARGETS = [
[REDIRECT_URL +
encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + '&ACAOrigin=*') +
'&mode=no-cors&method=GET',
- [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
- responseNotRedirected,
- checkURLList.bind(self, [OTHER_BASE_URL_WITH_USERNAME + '&ACAOrigin=*'])],
- onlyOnServiceWorkerProxiedTest([methodIsGET])],
+ [fetchRejected]],
[REDIRECT_URL +
encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + '&ACAOrigin=*') +
'&mode=no-cors&method=GET',
- [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
- responseNotRedirected,
- checkURLList.bind(self, [OTHER_BASE_URL_WITH_PASSWORD + '&ACAOrigin=*'])],
- onlyOnServiceWorkerProxiedTest([methodIsGET])],
+ [fetchRejected]],
// Origin A -[fetch]-> Origin B -[redirect]-> Origin A
[OTHER_REDIRECT_URL +
@@ -81,17 +64,11 @@ var TEST_TARGETS = [
[OTHER_REDIRECT_URL +
encodeURIComponent(BASE_URL_WITH_USERNAME + 'ACAOrigin=*') +
'&mode=no-cors&method=GET&ACAOrigin=*',
- [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
- responseNotRedirected,
- checkURLList.bind(self, [BASE_URL_WITH_USERNAME + 'ACAOrigin=*'])],
- onlyOnServiceWorkerProxiedTest([methodIsGET])],
+ [fetchRejected]],
[OTHER_REDIRECT_URL +
encodeURIComponent(BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') +
'&mode=no-cors&method=GET&ACAOrigin=*',
- [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
- responseNotRedirected,
- checkURLList.bind(self, [BASE_URL_WITH_PASSWORD + 'ACAOrigin=*'])],
- onlyOnServiceWorkerProxiedTest([methodIsGET])],
+ [fetchRejected]],
// Origin A -[fetch]-> Origin B -[redirect]-> Origin B
[OTHER_REDIRECT_URL +
@@ -105,17 +82,11 @@ var TEST_TARGETS = [
[OTHER_REDIRECT_URL +
encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + 'ACAOrigin=*') +
'&mode=no-cors&method=GET&ACAOrigin=*',
- [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
- responseNotRedirected,
- checkURLList.bind(self, [OTHER_BASE_URL_WITH_USERNAME + 'ACAOrigin=*'])],
- onlyOnServiceWorkerProxiedTest([methodIsGET])],
+ [fetchRejected]],
[OTHER_REDIRECT_URL +
encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') +
'&mode=no-cors&method=GET&ACAOrigin=*',
- [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
- responseNotRedirected,
- checkURLList.bind(self, [OTHER_BASE_URL_WITH_PASSWORD + 'ACAOrigin=*'])],
- onlyOnServiceWorkerProxiedTest([methodIsGET])],
+ [fetchRejected]],
];
if (self.importScripts) {

Powered by Google App Engine
This is Rietveld 408576698