Upstream service worker `fetch` test to WPT

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/fetch-response-taint.https.html

 <!DOCTYPE html>
 <title>Service Worker: Tainting of responses fetched via SW.</title>
-<script src="../resources/testharness.js"></script>
-<script src="../resources/testharnessreport.js"></script>
-<script src="../resources/get-host-info.js?pipe=sub"></script>
-<script src="resources/test-helpers.js"></script>
+<!-- This test makes a large number of requests sequentially. -->
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/test-helpers.sub.js"></script>
 <body>
 <script>
 var host_info = get_host_info();
-var BASE_ORIGIN = host_info.HTTP_ORIGIN;
-var OTHER_ORIGIN = host_info.HTTP_REMOTE_ORIGIN;
+var BASE_ORIGIN = host_info.HTTPS_ORIGIN;
+var OTHER_ORIGIN = host_info.HTTPS_REMOTE_ORIGIN;
 var BASE_URL = BASE_ORIGIN + base_path() +
-               'resources/fetch-access-control.php?';
+               'resources/fetch-access-control.py?';
 var OTHER_BASE_URL = OTHER_ORIGIN + base_path() +
-                     'resources/fetch-access-control.php?';
+                     'resources/fetch-access-control.py?';
 
 function frame_fetch(frame, url, mode, credentials) {
-  return frame.contentWindow.fetch(
-      new Request(url, {mode: mode, credentials: credentials}));
+  var foreignPromise = frame.contentWindow.fetch(
+      new Request(url, {mode: mode, credentials: credentials}))
+
+  // Event loops should be shared between contexts of similar origin, not all
+  // browsers adhere to this expectation at the time of this writing. Incorrect
+  // behavior in this regard can interfere with test execution when the
+  // provided iframe is removed from the document.
+  //
+  // WPT maintains a test dedicated the expected treatment of event loops, so
+  // the following workaround is acceptable in this context.
+  return Promise.resolve(foreignPromise);
 }
 
-function ng_test(frame, url, mode, credentials) {
-  return frame_fetch(frame, url, mode, credentials).then(
-      function() {
-        throw new Error('fetching url:\"' + url + '\" mode:\"' + mode +
-                        '\" credentials:\"' + credentials + '\" should fail.');
-      },
-      function() {});
+var login_and_register;
+promise_test(function(t) {
+    var SCOPE = 'resources/fetch-response-taint-iframe.html';
+    var SCRIPT = 'resources/fetch-rewrite-worker.js';
+    login_and_register = login_https(t, host_info.HTTPS_ORIGIN, host_info.HTTPS_REMOTE_ORIGIN)
+      .then(function() {
+          return service_worker_unregister_and_register(t, SCRIPT, SCOPE);
+        })
+      .then(function(registration) {
+          return wait_for_state(t, registration.installing, 'activated');
+        })
+      .then(function() { return with_iframe(SCOPE); })
+      .then(function(f) {
+          promise_test(function(t) {

[Marijn Kruisselbrink, 2017/05/04 00:08:05]

Could you add a comment explaining:
1) why this is a separate promise test (i.e. because otherwise there is no way
to do asynchronous cleanup jobs)
2) why this nested promise_test ends up being called at the right time (i.e.
something about how all the other promise_test calls in this file are
synchronous, so this will always be queued up after all other tests have already
been queued)

[mike3, 2017/05/05 16:21:38]

Acknowledged.

+              f.remove();
+              return service_worker_unregister_and_done(t, SCOPE);

[Marijn Kruisselbrink, 2017/05/04 00:08:05]

calling unregister_and_done in a promise test always seems like a bit of an
anti-pattern to me, since the promise resolving itself will already mark the
test as done... So either just call service_worker_unregister(t, SCOPE), or even
simpler since you could just save the registration from line 41, just call
registration.unregister() directly?

[mike3, 2017/05/05 16:21:38]

Acknowledged.

+            }, 'restore global state');
+
+          return f;
+        });
+    return login_and_register;
+  }, 'initialize global state');
+
+function ng_test(url, mode, credentials) {
+  promise_test(function() {
+      return login_and_register.then(function(frame) {
+            return frame_fetch(frame, url, mode, credentials);

[Marijn Kruisselbrink, 2017/05/04 00:08:05]

return promise_rejects(t, null, frame_fetch(...)) is cleaner than the explicit
then and rejection handlers (probably even replace null with whatever error this
is supposed to fail with).

[mike3, 2017/05/05 16:21:37]

I wasn't aware of that helper. Thanks for the tip.

These tests produce a TypeError, but `promise_rejects` has been written to
operate on DOMExceptions, so I think we'll have to settle (literally... Promise
humor, sorry) for `null`.

[Marijn Kruisselbrink, 2017/05/05 17:32:42]

I think using 'null' might make annevk sad
(https://github.com/w3c/web-platform-tests/issues/5317). You can check for
TypeError by either passing {name: 'TypeError'} or new TypeError() as expected
exception (both formats seem to be used about equally often in existing WPT
assert_throws usage...)

+          })
+        .then(function() {
+            throw new Error('Expected request to fail, but it succeeded.');
+          }, function() {});
+    }, 'url:\"' + url + '\" mode:\"' + mode +
+       '\" credentials:\"' + credentials + '\" should fail.');
 }
 
-function ok_test(frame, url, mode, credentials, expected_type,
-                 expected_username) {
-  return frame_fetch(frame, url, mode, credentials)
-    .then(function(res) {
-        assert_equals(res.type, expected_type);
-        return res.text();
-      })
-    .then(function(text) {
-        if (expected_type == 'opaque') {
-          assert_equals(text, '');
-        } else {
-          return new Promise(function(resolve) {
-                var report = resolve;
-                // text must contain report() call.
-                eval(text);
-              })
-            .then(function(result) {
-                assert_equals(result.username, expected_username);
-              });
-        }
-      })
-    .catch(function(reason) {
-        throw new Error('fetching url:\"' + url + '\" mode:\"' + mode +
+function ok_test(url, mode, credentials, expected_type, expected_username) {
+  promise_test(function() {
+      return login_and_register.then(function(frame) {
+            return frame_fetch(frame, url, mode, credentials)
+          })
+        .then(function(res) {
+            assert_equals(res.type, expected_type, 'response type');
+            return res.text();
+          })
+        .then(function(text) {
+            if (expected_type == 'opaque') {
+              assert_equals(text, '');
+            } else {
+              return new Promise(function(resolve) {
+                    var report = resolve;
+                    // text must contain report() call.
+                    eval(text);
+                  })
+                .then(function(result) {
+                    assert_equals(result.username, expected_username);
+                  });
+            }
+          });
+    }, 'fetching url:\"' + url + '\" mode:\"' + mode +
                         '\" credentials:\"' + credentials + '\" should ' +
-                        'success. - ' + reason.message);
-      });
+                        'succeed.');
 }
 
 function build_rewrite_url(origin, url, mode, credentials) {
   return origin + '/?url=' + encodeURIComponent(url) + '&mode=' + mode +
       '&credentials=' + credentials + '&';
 }
 
 function for_each_origin_mode_credentials(callback) {
   [BASE_ORIGIN, OTHER_ORIGIN].forEach(function(origin) {
       ['same-origin', 'no-cors', 'cors'].forEach(function(mode) {
           ['omit', 'same-origin', 'include'].forEach(function(credentials) {
               callback(origin, mode, credentials);
             });
         });
     });
 }
 
-promise_test(function(t) {
-    var SCOPE = 'resources/fetch-response-taint-iframe.html';
-    var SCRIPT = 'resources/fetch-rewrite-worker.js';
-    var frame = undefined;
+ok_test(BASE_URL, 'same-origin', 'omit', 'basic', 'undefined');
+ok_test(BASE_URL, 'same-origin', 'same-origin', 'basic', 'username2s');
+ok_test(BASE_URL, 'same-origin', 'include', 'basic', 'username2s');
+ok_test(BASE_URL, 'no-cors', 'omit', 'basic', 'undefined');
+ok_test(BASE_URL, 'no-cors', 'same-origin', 'basic', 'username2s');
+ok_test(BASE_URL, 'no-cors', 'include', 'basic', 'username2s');
+ok_test(BASE_URL, 'cors', 'omit', 'basic', 'undefined');
+ok_test(BASE_URL, 'cors', 'same-origin', 'basic', 'username2s');
+ok_test(BASE_URL, 'cors', 'include', 'basic', 'username2s');
+ng_test(OTHER_BASE_URL, 'same-origin', 'omit');
+ng_test(OTHER_BASE_URL, 'same-origin', 'same-origin');
+ng_test(OTHER_BASE_URL, 'same-origin', 'include');
+ok_test(OTHER_BASE_URL, 'no-cors', 'omit', 'opaque');
+ok_test(OTHER_BASE_URL, 'no-cors', 'same-origin', 'opaque');
+ok_test(OTHER_BASE_URL, 'no-cors', 'include', 'opaque');
+ng_test(OTHER_BASE_URL, 'cors', 'omit');
+ng_test(OTHER_BASE_URL, 'cors', 'same-origin');
+ng_test(OTHER_BASE_URL, 'cors', 'include');
+ok_test(OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'omit', 'cors', 'undefined');
+ok_test(OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'same-origin', 'cors',
+        'undefined');
+ng_test(OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'include');
+ok_test(

[Marijn Kruisselbrink, 2017/05/04 00:08:05]

nit: why the line-break?

[mike3, 2017/05/05 16:21:38]

A vestige from the prior version. Fixed.

+        OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN + '&ACACredentials=true',
+        'cors', 'include', 'cors', 'username1s')
 
-    return login(t, host_info.HTTP_ORIGIN, host_info.HTTP_REMOTE_ORIGIN)
-      .then(function() {
-          return service_worker_unregister_and_register(t, SCRIPT, SCOPE);
-        })
-      .then(function(registration) {
-          return wait_for_state(t, registration.installing, 'activated');
-        })
-      .then(function() { return with_iframe(SCOPE); })
-      .then(function(f) {
-          frame = f;
-          var promises = [
-            ok_test(f, BASE_URL, 'same-origin', 'omit', 'basic', 'undefined'),
-            ok_test(f, BASE_URL, 'same-origin', 'same-origin', 'basic',
-                    'username1'),
-            ok_test(f, BASE_URL, 'same-origin', 'include', 'basic',
-                    'username1'),
-            ok_test(f, BASE_URL, 'no-cors', 'omit', 'basic', 'undefined'),
-            ok_test(f, BASE_URL, 'no-cors', 'same-origin', 'basic',
-                    'username1'),
-            ok_test(f, BASE_URL, 'no-cors', 'include', 'basic', 'username1'),
-            ok_test(f, BASE_URL, 'cors', 'omit', 'basic', 'undefined'),
-            ok_test(f, BASE_URL, 'cors', 'same-origin', 'basic', 'username1'),
-            ok_test(f, BASE_URL, 'cors', 'include', 'basic', 'username1'),
-            ng_test(f, OTHER_BASE_URL, 'same-origin', 'omit'),
-            ng_test(f, OTHER_BASE_URL, 'same-origin', 'same-origin'),
-            ng_test(f, OTHER_BASE_URL, 'same-origin', 'include'),
-            ok_test(f, OTHER_BASE_URL, 'no-cors', 'omit', 'opaque'),
-            ok_test(f, OTHER_BASE_URL, 'no-cors', 'same-origin', 'opaque'),
-            ok_test(f, OTHER_BASE_URL, 'no-cors', 'include', 'opaque'),
-            ng_test(f, OTHER_BASE_URL, 'cors', 'omit'),
-            ng_test(f, OTHER_BASE_URL, 'cors', 'same-origin'),
-            ng_test(f, OTHER_BASE_URL, 'cors', 'include'),
-            ok_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'omit', 'cors',
-                    'undefined'),
-            ok_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'same-origin',
-                    'cors', 'undefined'),
-            ng_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'include'),
-            ok_test(f,
-                    OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN +
-                    '&ACACredentials=true',
-                    'cors', 'include', 'cors', 'username2')
-          ];
+for_each_origin_mode_credentials(function(origin, mode, credentials) {
+  var url = build_rewrite_url(
+      origin, BASE_URL, 'same-origin', 'omit');
+  // Fetch to the other origin with same-origin mode should fail.
+  if (origin == OTHER_ORIGIN && mode == 'same-origin') {
+    ng_test(url, mode, credentials);
+  } else {
+    // The response type from the SW should be basic
+    ok_test(url, mode, credentials, 'basic', 'undefined');
+  }
+});
 
-          for_each_origin_mode_credentials(function(origin, mode, credentials) {
-            var url = build_rewrite_url(
-                origin, BASE_URL, 'same-origin', 'omit');
-            // Fetch to the other origin with same-origin mode should fail.
-            if (origin == OTHER_ORIGIN && mode == 'same-origin')
-              return promises.push(ng_test(f, url, mode, credentials));
-            // The response type from the SW should be basic
-            promises.push(
-                ok_test(f, url, mode, credentials, 'basic', 'undefined'));
-          });
+for_each_origin_mode_credentials(function(origin, mode, credentials) {
+  var url = build_rewrite_url(
+      origin, BASE_URL, 'same-origin', 'same-origin');
 
-          for_each_origin_mode_credentials(function(origin, mode, credentials) {
-            var url = build_rewrite_url(
-                origin, BASE_URL, 'same-origin', 'same-origin');
-            // Fetch to the other origin with same-origin mode should fail.
-            if (origin == OTHER_ORIGIN && mode == 'same-origin')
-              return promises.push(ng_test(f, url, mode, credentials));
-            // The response type from the SW should be basic.
-            promises.push(
-                ok_test(f, url, mode, credentials, 'basic', 'username1'));
-          });
+  // Fetch to the other origin with same-origin mode should fail.
+  if (origin == OTHER_ORIGIN && mode == 'same-origin') {
+    ng_test(url, mode, credentials);
+  // The response type from the SW should be basic.
+  } else {
+    ok_test(url, mode, credentials, 'basic', 'username2s');
+  }
+});
 
-          for_each_origin_mode_credentials(function(origin, mode, credentials) {
-            var url = build_rewrite_url(
-                origin, OTHER_BASE_URL, 'same-origin', 'omit');
-            // The response from the SW should be an error.
-            promises.push(ng_test(f, url, mode, credentials));
-          });
+for_each_origin_mode_credentials(function(origin, mode, credentials) {
+  var url = build_rewrite_url(
+      origin, OTHER_BASE_URL, 'same-origin', 'omit');
+  // The response from the SW should be an error.
+  ng_test(url, mode, credentials);
+});
 
-          for_each_origin_mode_credentials(function(origin, mode, credentials) {
-            var url = build_rewrite_url(
-                origin, OTHER_BASE_URL, 'no-cors', 'omit');
-            // SW can respond only to no-cors requests.
-            if (mode != 'no-cors')
-              return promises.push(ng_test(f, url, mode, credentials));
-            // The response type from the SW should be opaque.
-            promises.push(ok_test(f, url, mode, credentials, 'opaque'));
-          });
+for_each_origin_mode_credentials(function(origin, mode, credentials) {
+  var url = build_rewrite_url(
+      origin, OTHER_BASE_URL, 'no-cors', 'omit');
 
-          for_each_origin_mode_credentials(function(origin, mode, credentials) {
-            var url = build_rewrite_url(
-                origin, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'omit');
-            // Fetch to the other origin with same-origin mode should fail.
-            if (origin == OTHER_ORIGIN && mode == 'same-origin')
-              return promises.push(ng_test(f, url, mode, credentials));
-            // The response from the SW should be cors.
-            promises.push(
-                ok_test(f, url, mode, credentials, 'cors', 'undefined'));
-          });
+  // SW can respond only to no-cors requests.
+  if (mode != 'no-cors') {
+    ng_test(url, mode, credentials);
+  } else {
+    // The response type from the SW should be opaque.
+    ok_test(url, mode, credentials, 'opaque');
+  }
+});
 
-          for_each_origin_mode_credentials(function(origin, mode, credentials) {
-            var url = build_rewrite_url(
-                origin,
-                OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN +
-                '&ACACredentials=true',
-                'cors', 'include');
-            // Fetch to the other origin with same-origin mode should fail.
-            if (origin == OTHER_ORIGIN && mode == 'same-origin')
-              return promises.push(ng_test(f, url, mode, credentials));
-            // The response from the SW should be cors.
-            promises.push(
-                ok_test(f, url, mode, credentials, 'cors', 'username2'));
-          });
-          return Promise.all(promises);
-        })
-      .then(function(f) {
-          frame.remove()
-        })
-      .catch(unreached_rejection(t));
-  }, 'Verify the tainting of responses fetched via SW');
+for_each_origin_mode_credentials(function(origin, mode, credentials) {
+  var url = build_rewrite_url(
+      origin, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'omit');
+
+  // Fetch to the other origin with same-origin mode should fail.
+  if (origin == OTHER_ORIGIN && mode == 'same-origin') {
+    ng_test(url, mode, credentials);
+  } else {
+    // The response from the SW should be cors.
+    ok_test(url, mode, credentials, 'cors', 'undefined');
+  }
+});
+
+for_each_origin_mode_credentials(function(origin, mode, credentials) {
+  var url = build_rewrite_url(
+      origin,
+      OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN +
+      '&ACACredentials=true',
+      'cors', 'include');
+  // Fetch to the other origin with same-origin mode should fail.
+  if (origin == OTHER_ORIGIN && mode == 'same-origin') {
+    ng_test(url, mode, credentials);
+  } else {
+    // The response from the SW should be cors.
+    ok_test(url, mode, credentials, 'cors', 'username1s');
+  }
+});
 </script>
 </body>