OLD | NEW |
| (Empty) |
1 <!DOCTYPE html> | |
2 <title>Service Worker: Tainting of responses fetched via SW.</title> | |
3 <script src="../resources/testharness.js"></script> | |
4 <script src="../resources/testharnessreport.js"></script> | |
5 <script src="../resources/get-host-info.js?pipe=sub"></script> | |
6 <script src="resources/test-helpers.js"></script> | |
7 <body> | |
8 <script> | |
9 var host_info = get_host_info(); | |
10 var BASE_ORIGIN = host_info.HTTP_ORIGIN; | |
11 var OTHER_ORIGIN = host_info.HTTP_REMOTE_ORIGIN; | |
12 var BASE_URL = BASE_ORIGIN + base_path() + | |
13 'resources/fetch-access-control.php?'; | |
14 var OTHER_BASE_URL = OTHER_ORIGIN + base_path() + | |
15 'resources/fetch-access-control.php?'; | |
16 | |
17 function frame_fetch(frame, url, mode, credentials) { | |
18 return frame.contentWindow.fetch( | |
19 new Request(url, {mode: mode, credentials: credentials})); | |
20 } | |
21 | |
22 function ng_test(frame, url, mode, credentials) { | |
23 return frame_fetch(frame, url, mode, credentials).then( | |
24 function() { | |
25 throw new Error('fetching url:\"' + url + '\" mode:\"' + mode + | |
26 '\" credentials:\"' + credentials + '\" should fail.'); | |
27 }, | |
28 function() {}); | |
29 } | |
30 | |
31 function ok_test(frame, url, mode, credentials, expected_type, | |
32 expected_username) { | |
33 return frame_fetch(frame, url, mode, credentials) | |
34 .then(function(res) { | |
35 assert_equals(res.type, expected_type); | |
36 return res.text(); | |
37 }) | |
38 .then(function(text) { | |
39 if (expected_type == 'opaque') { | |
40 assert_equals(text, ''); | |
41 } else { | |
42 return new Promise(function(resolve) { | |
43 var report = resolve; | |
44 // text must contain report() call. | |
45 eval(text); | |
46 }) | |
47 .then(function(result) { | |
48 assert_equals(result.username, expected_username); | |
49 }); | |
50 } | |
51 }) | |
52 .catch(function(reason) { | |
53 throw new Error('fetching url:\"' + url + '\" mode:\"' + mode + | |
54 '\" credentials:\"' + credentials + '\" should ' + | |
55 'success. - ' + reason.message); | |
56 }); | |
57 } | |
58 | |
59 function build_rewrite_url(origin, url, mode, credentials) { | |
60 return origin + '/?url=' + encodeURIComponent(url) + '&mode=' + mode + | |
61 '&credentials=' + credentials + '&'; | |
62 } | |
63 | |
64 function for_each_origin_mode_credentials(callback) { | |
65 [BASE_ORIGIN, OTHER_ORIGIN].forEach(function(origin) { | |
66 ['same-origin', 'no-cors', 'cors'].forEach(function(mode) { | |
67 ['omit', 'same-origin', 'include'].forEach(function(credentials) { | |
68 callback(origin, mode, credentials); | |
69 }); | |
70 }); | |
71 }); | |
72 } | |
73 | |
74 promise_test(function(t) { | |
75 var SCOPE = 'resources/fetch-response-taint-iframe.html'; | |
76 var SCRIPT = 'resources/fetch-rewrite-worker.js'; | |
77 var frame = undefined; | |
78 | |
79 return login(t, host_info.HTTP_ORIGIN, host_info.HTTP_REMOTE_ORIGIN) | |
80 .then(function() { | |
81 return service_worker_unregister_and_register(t, SCRIPT, SCOPE); | |
82 }) | |
83 .then(function(registration) { | |
84 return wait_for_state(t, registration.installing, 'activated'); | |
85 }) | |
86 .then(function() { return with_iframe(SCOPE); }) | |
87 .then(function(f) { | |
88 frame = f; | |
89 var promises = [ | |
90 ok_test(f, BASE_URL, 'same-origin', 'omit', 'basic', 'undefined'), | |
91 ok_test(f, BASE_URL, 'same-origin', 'same-origin', 'basic', | |
92 'username1'), | |
93 ok_test(f, BASE_URL, 'same-origin', 'include', 'basic', | |
94 'username1'), | |
95 ok_test(f, BASE_URL, 'no-cors', 'omit', 'basic', 'undefined'), | |
96 ok_test(f, BASE_URL, 'no-cors', 'same-origin', 'basic', | |
97 'username1'), | |
98 ok_test(f, BASE_URL, 'no-cors', 'include', 'basic', 'username1'), | |
99 ok_test(f, BASE_URL, 'cors', 'omit', 'basic', 'undefined'), | |
100 ok_test(f, BASE_URL, 'cors', 'same-origin', 'basic', 'username1'), | |
101 ok_test(f, BASE_URL, 'cors', 'include', 'basic', 'username1'), | |
102 ng_test(f, OTHER_BASE_URL, 'same-origin', 'omit'), | |
103 ng_test(f, OTHER_BASE_URL, 'same-origin', 'same-origin'), | |
104 ng_test(f, OTHER_BASE_URL, 'same-origin', 'include'), | |
105 ok_test(f, OTHER_BASE_URL, 'no-cors', 'omit', 'opaque'), | |
106 ok_test(f, OTHER_BASE_URL, 'no-cors', 'same-origin', 'opaque'), | |
107 ok_test(f, OTHER_BASE_URL, 'no-cors', 'include', 'opaque'), | |
108 ng_test(f, OTHER_BASE_URL, 'cors', 'omit'), | |
109 ng_test(f, OTHER_BASE_URL, 'cors', 'same-origin'), | |
110 ng_test(f, OTHER_BASE_URL, 'cors', 'include'), | |
111 ok_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'omit', 'cors', | |
112 'undefined'), | |
113 ok_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'same-origin', | |
114 'cors', 'undefined'), | |
115 ng_test(f, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'include'), | |
116 ok_test(f, | |
117 OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN + | |
118 '&ACACredentials=true', | |
119 'cors', 'include', 'cors', 'username2') | |
120 ]; | |
121 | |
122 for_each_origin_mode_credentials(function(origin, mode, credentials) { | |
123 var url = build_rewrite_url( | |
124 origin, BASE_URL, 'same-origin', 'omit'); | |
125 // Fetch to the other origin with same-origin mode should fail. | |
126 if (origin == OTHER_ORIGIN && mode == 'same-origin') | |
127 return promises.push(ng_test(f, url, mode, credentials)); | |
128 // The response type from the SW should be basic | |
129 promises.push( | |
130 ok_test(f, url, mode, credentials, 'basic', 'undefined')); | |
131 }); | |
132 | |
133 for_each_origin_mode_credentials(function(origin, mode, credentials) { | |
134 var url = build_rewrite_url( | |
135 origin, BASE_URL, 'same-origin', 'same-origin'); | |
136 // Fetch to the other origin with same-origin mode should fail. | |
137 if (origin == OTHER_ORIGIN && mode == 'same-origin') | |
138 return promises.push(ng_test(f, url, mode, credentials)); | |
139 // The response type from the SW should be basic. | |
140 promises.push( | |
141 ok_test(f, url, mode, credentials, 'basic', 'username1')); | |
142 }); | |
143 | |
144 for_each_origin_mode_credentials(function(origin, mode, credentials) { | |
145 var url = build_rewrite_url( | |
146 origin, OTHER_BASE_URL, 'same-origin', 'omit'); | |
147 // The response from the SW should be an error. | |
148 promises.push(ng_test(f, url, mode, credentials)); | |
149 }); | |
150 | |
151 for_each_origin_mode_credentials(function(origin, mode, credentials) { | |
152 var url = build_rewrite_url( | |
153 origin, OTHER_BASE_URL, 'no-cors', 'omit'); | |
154 // SW can respond only to no-cors requests. | |
155 if (mode != 'no-cors') | |
156 return promises.push(ng_test(f, url, mode, credentials)); | |
157 // The response type from the SW should be opaque. | |
158 promises.push(ok_test(f, url, mode, credentials, 'opaque')); | |
159 }); | |
160 | |
161 for_each_origin_mode_credentials(function(origin, mode, credentials) { | |
162 var url = build_rewrite_url( | |
163 origin, OTHER_BASE_URL + 'ACAOrigin=*', 'cors', 'omit'); | |
164 // Fetch to the other origin with same-origin mode should fail. | |
165 if (origin == OTHER_ORIGIN && mode == 'same-origin') | |
166 return promises.push(ng_test(f, url, mode, credentials)); | |
167 // The response from the SW should be cors. | |
168 promises.push( | |
169 ok_test(f, url, mode, credentials, 'cors', 'undefined')); | |
170 }); | |
171 | |
172 for_each_origin_mode_credentials(function(origin, mode, credentials) { | |
173 var url = build_rewrite_url( | |
174 origin, | |
175 OTHER_BASE_URL + 'ACAOrigin=' + BASE_ORIGIN + | |
176 '&ACACredentials=true', | |
177 'cors', 'include'); | |
178 // Fetch to the other origin with same-origin mode should fail. | |
179 if (origin == OTHER_ORIGIN && mode == 'same-origin') | |
180 return promises.push(ng_test(f, url, mode, credentials)); | |
181 // The response from the SW should be cors. | |
182 promises.push( | |
183 ok_test(f, url, mode, credentials, 'cors', 'username2')); | |
184 }); | |
185 return Promise.all(promises); | |
186 }) | |
187 .then(function(f) { | |
188 frame.remove() | |
189 }) | |
190 .catch(unreached_rejection(t)); | |
191 }, 'Verify the tainting of responses fetched via SW'); | |
192 </script> | |
193 </body> | |
OLD | NEW |