| Index: third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js
|
| diff --git a/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js b/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js
|
| index 6fbe5cc65077910fffa9c9e9a55ae88c8e1a7284..1bc0677f1fdaaa50301a5a3e15925df2c82d247a 100644
|
| --- a/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js
|
| +++ b/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js
|
| @@ -4,8 +4,9 @@ if (self.importScripts) {
|
| }
|
|
|
| var TEST_TARGETS = [
|
| - // Redirects to URLs with username/password.
|
| - // Spec: https://fetch.spec.whatwg.org/#concept-http-fetch
|
| + // Redirects to URLs with username/password; these requests are blocked.
|
| + //
|
| + // Spec: https://github.com/whatwg/fetch/pull/465
|
| // Step 5, redirect status, Step 10.1 and 10.2:
|
| // "If |request|'s mode is "cors", |request|'s origin is not same origin with
|
| // |locationURL|'s origin, and |locationURL| includes credentials, return a
|
| @@ -16,34 +17,22 @@ var TEST_TARGETS = [
|
| // Origin A -[fetch]-> Origin A -[redirect]-> Origin A
|
| [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) +
|
| '&mode=same-origin&method=GET',
|
| - [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
|
| - responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_USERNAME])],
|
| - [methodIsGET]],
|
| + [fetchRejected]],
|
| [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) +
|
| '&mode=same-origin&method=GET',
|
| - [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
|
| - responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_PASSWORD])],
|
| - [methodIsGET]],
|
| + [fetchRejected]],
|
| [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) +
|
| '&mode=cors&method=GET',
|
| - [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
|
| - responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_USERNAME])],
|
| - [methodIsGET]],
|
| + [fetchRejected]],
|
| [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) +
|
| '&mode=cors&method=GET',
|
| - [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
|
| - responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_PASSWORD])],
|
| - [methodIsGET]],
|
| + [fetchRejected]],
|
| [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_USERNAME) +
|
| '&mode=no-cors&method=GET',
|
| - [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
|
| - responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_USERNAME])],
|
| - [methodIsGET]],
|
| + [fetchRejected]],
|
| [REDIRECT_URL + encodeURIComponent(BASE_URL_WITH_PASSWORD) +
|
| '&mode=no-cors&method=GET',
|
| - [fetchResolved, hasContentLength, hasServerHeader, hasBody, typeBasic,
|
| - responseRedirected, checkURLList.bind(self, [BASE_URL_WITH_PASSWORD])],
|
| - [methodIsGET]],
|
| + [fetchRejected]],
|
|
|
| // Origin A -[fetch]-> Origin A -[redirect]-> Origin B
|
| [REDIRECT_URL +
|
| @@ -57,17 +46,11 @@ var TEST_TARGETS = [
|
| [REDIRECT_URL +
|
| encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + '&ACAOrigin=*') +
|
| '&mode=no-cors&method=GET',
|
| - [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
|
| - responseNotRedirected,
|
| - checkURLList.bind(self, [OTHER_BASE_URL_WITH_USERNAME + '&ACAOrigin=*'])],
|
| - onlyOnServiceWorkerProxiedTest([methodIsGET])],
|
| + [fetchRejected]],
|
| [REDIRECT_URL +
|
| encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + '&ACAOrigin=*') +
|
| '&mode=no-cors&method=GET',
|
| - [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
|
| - responseNotRedirected,
|
| - checkURLList.bind(self, [OTHER_BASE_URL_WITH_PASSWORD + '&ACAOrigin=*'])],
|
| - onlyOnServiceWorkerProxiedTest([methodIsGET])],
|
| + [fetchRejected]],
|
|
|
| // Origin A -[fetch]-> Origin B -[redirect]-> Origin A
|
| [OTHER_REDIRECT_URL +
|
| @@ -81,17 +64,11 @@ var TEST_TARGETS = [
|
| [OTHER_REDIRECT_URL +
|
| encodeURIComponent(BASE_URL_WITH_USERNAME + 'ACAOrigin=*') +
|
| '&mode=no-cors&method=GET&ACAOrigin=*',
|
| - [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
|
| - responseNotRedirected,
|
| - checkURLList.bind(self, [BASE_URL_WITH_USERNAME + 'ACAOrigin=*'])],
|
| - onlyOnServiceWorkerProxiedTest([methodIsGET])],
|
| + [fetchRejected]],
|
| [OTHER_REDIRECT_URL +
|
| encodeURIComponent(BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') +
|
| '&mode=no-cors&method=GET&ACAOrigin=*',
|
| - [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
|
| - responseNotRedirected,
|
| - checkURLList.bind(self, [BASE_URL_WITH_PASSWORD + 'ACAOrigin=*'])],
|
| - onlyOnServiceWorkerProxiedTest([methodIsGET])],
|
| + [fetchRejected]],
|
|
|
| // Origin A -[fetch]-> Origin B -[redirect]-> Origin B
|
| [OTHER_REDIRECT_URL +
|
| @@ -105,17 +82,11 @@ var TEST_TARGETS = [
|
| [OTHER_REDIRECT_URL +
|
| encodeURIComponent(OTHER_BASE_URL_WITH_USERNAME + 'ACAOrigin=*') +
|
| '&mode=no-cors&method=GET&ACAOrigin=*',
|
| - [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
|
| - responseNotRedirected,
|
| - checkURLList.bind(self, [OTHER_BASE_URL_WITH_USERNAME + 'ACAOrigin=*'])],
|
| - onlyOnServiceWorkerProxiedTest([methodIsGET])],
|
| + [fetchRejected]],
|
| [OTHER_REDIRECT_URL +
|
| encodeURIComponent(OTHER_BASE_URL_WITH_PASSWORD + 'ACAOrigin=*') +
|
| '&mode=no-cors&method=GET&ACAOrigin=*',
|
| - [fetchResolved, noContentLength, noServerHeader, noBody, typeOpaque,
|
| - responseNotRedirected,
|
| - checkURLList.bind(self, [OTHER_BASE_URL_WITH_PASSWORD + 'ACAOrigin=*'])],
|
| - onlyOnServiceWorkerProxiedTest([methodIsGET])],
|
| + [fetchRejected]],
|
| ];
|
|
|
| if (self.importScripts) {
|
|
|
Chromium Code Reviews
Issue 2651943002:
Block subresource requests whose URLs include credentials. (Closed)
