commit 4dd4f8fb6d658416d26b87cb0caf060ccfc772ed
parent 74932703b89118fae7a54bb1f9f9b87ee7998374
Author: Andrew Williams <awillia@chromium.org>
Date: Wed, 19 Nov 2025 04:55:15 +0000
Bug 2000643 [wpt PR 56062] - Add blob URL partitioning self-fetch test and refactor helper functions, a=testonly
Automatic update from web-platform-tests
Add blob URL partitioning self-fetch test and refactor helper functions
This change introduces a new test, `cross-partition-self-fetch.html`,
which verifies that a Blob URL created in a cross-partition context can
successfully fetch itself when opened in a same-partition context. This
is to support upcoming spec changes proposed here:
https://github.com/w3c/FileAPI/issues/210
This change also moves the `add_iframe_js` and `create_test_iframes`
functions into a new `resources/common.js` file to reduce code
duplication across Blob URL cross-partition tests.
Also deletes support/file_test2.txt which appears to be unused.
Bug: 426787402
Change-Id: I0080fa35b98ed9a1307a313181d2e6b30b56a37c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7016969
Reviewed-by: Koji Ishii <kojii@chromium.org>
Reviewed-by: Ari Chivukula <arichiv@chromium.org>
Commit-Queue: Andrew Williams <awillia@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1545891}
--
wpt-commits: d57037d6c71dbc47edbca522e5bbd81b8aeffd23
wpt-pr: 56062
Diffstat:
6 files changed, 114 insertions(+), 100 deletions(-)
diff --git a/testing/web-platform/tests/FileAPI/BlobURL/cross-partition-navigation.https.html b/testing/web-platform/tests/FileAPI/BlobURL/cross-partition-navigation.https.html
@@ -10,6 +10,7 @@
<script src="/html/cross-origin-embedder-policy/credentialless/resources/common.js"></script>
<!-- Pull in importScript / newPopup / newIframe -->
<script src="/html/anonymous-iframe/resources/common.js"></script>
+<script src="resources/common.js"></script>
<body>
<script>
@@ -30,40 +31,6 @@ const does_blob_url_open_return_handle = (blob_url, response_queue_name) => `
await test();
`;
-const add_iframe_js = (iframe_origin, response_queue_uuid) => `
- const importScript = ${importScript};
- await importScript("/html/cross-origin-embedder-policy/credentialless" +
- "/resources/common.js");
- await importScript("/html/anonymous-iframe/resources/common.js");
- await importScript("/common/utils.js");
-
- // dispatcher.js has already been loaded by the popup this is running in.
- await send("${response_queue_uuid}", newIframe("${iframe_origin}"));
-`;
-
-const same_site_origin = get_host_info().HTTPS_ORIGIN;
-const cross_site_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
-
-async function create_test_iframes(t, response_queue_uuid) {
- assert_equals("https://" + window.location.host, same_site_origin,
- "this test assumes that the page's window.location.host corresponds to " +
- "get_host_info().HTTPS_ORIGIN");
-
- // Create a same-origin iframe in a cross-site popup.
- const not_same_site_popup_uuid = newPopup(t, cross_site_origin);
- await send(not_same_site_popup_uuid,
- add_iframe_js(same_site_origin, response_queue_uuid));
- const cross_site_iframe_uuid = await receive(response_queue_uuid);
-
- // Create a same-origin iframe in a same-site popup.
- const same_origin_popup_uuid = newPopup(t, same_site_origin);
- await send(same_origin_popup_uuid,
- add_iframe_js(same_site_origin, response_queue_uuid));
- const same_site_iframe_uuid = await receive(response_queue_uuid);
-
- return [cross_site_iframe_uuid, same_site_iframe_uuid];
-}
-
const opener_check_frame_html = (noopener_response_queue) => `
<!doctype html>
<!-- dispatcher.js requires the baseURI to be set in order to compute
diff --git a/testing/web-platform/tests/FileAPI/BlobURL/cross-partition-self-fetch.https.tentative.html b/testing/web-platform/tests/FileAPI/BlobURL/cross-partition-self-fetch.https.tentative.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<!-- Pull in executor_path needed by newPopup / newIframe -->
+<script src="/html/cross-origin-embedder-policy/credentialless/resources/common.js"></script>
+<!-- Pull in importScript / newPopup / newIframe -->
+<script src="/html/anonymous-iframe/resources/common.js"></script>
+<script src="resources/common.js"></script>
+<body>
+<script>
+
+// Creates a Blob URL for an HTML document that fetches itself and sends the result to the
+// specified response queue UUID. This is somewhat contrived but aims to test a more common
+// scenario where a Blob URL with a video/audio mime type is navigated to and has an HTML document
+// created for to allow media controls to be present. In that scenario the Blob URL will be used
+// via a "src" attribute, resulting in a first-party resource load.
+const create_blob_url_and_send_js = (fetch_response_uuid, iframe_response_uuid) => `
+ const blob_url_iframe_html = \`
+ <!doctype html>
+ <base href="\${window.location.href}">
+ <script src="/html/cross-origin-embedder-policy/credentialless/resources/common.js"><\/script>
+ <script src="/html/anonymous-iframe/resources/common.js"><\/script>
+ <script src="/common/utils.js"><\/script>
+ <script src="/common/dispatcher/dispatcher.js"><\/script>
+ <script>
+ (async () => {
+ try {
+ const response = await fetch(window.location.href);
+ await response.text();
+ send("${fetch_response_uuid}", "success");
+ } catch (e) {
+ send("${fetch_response_uuid}", "failure");
+ }
+ })();
+ <\/script>
+ \`;
+ const blob = new Blob([blob_url_iframe_html], {type: 'text/html'});
+ const blob_url = URL.createObjectURL(blob);
+ send("${iframe_response_uuid}", blob_url);
+`;
+
+promise_test(t => {
+ return new Promise(async (resolve, reject) => {
+ try {
+ const iframe_response_uuid = token();
+ const fetch_response_uuid = token();
+ const response_queue_uuid = token();
+
+ const [cross_site_iframe_uuid, same_site_iframe_uuid] =
+ await create_test_iframes(t, response_queue_uuid);
+
+ await send(cross_site_iframe_uuid,
+ create_blob_url_and_send_js(fetch_response_uuid, iframe_response_uuid));
+
+ const blob_url = await receive(iframe_response_uuid);
+
+ window.open(blob_url);
+
+ const fetch_result = await receive(fetch_response_uuid);
+
+ assert_equals(fetch_result, "success", "Blob URL created in a cross-partition context should be able to fetch itself in a same-partition context.");
+
+ resolve();
+ } catch (e) {
+ reject(e);
+ }
+ });
+}, "Blob URL created in a cross-partition context can fetch itself in a same-partition context.");
+
+</script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/FileAPI/BlobURL/cross-partition-worker-creation.https.html b/testing/web-platform/tests/FileAPI/BlobURL/cross-partition-worker-creation.https.html
@@ -10,46 +10,13 @@
<script src="/html/cross-origin-embedder-policy/credentialless/resources/common.js"></script>
<!-- Pull in importScript / newPopup / newIframe -->
<script src="/html/anonymous-iframe/resources/common.js"></script>
+<script src="resources/common.js"></script>
<body>
<script>
const create_worker_unsuccessful = "Worker creation failed.";
const create_worker_successful = "Worker creation succeeded.";
-const add_iframe_js = (iframe_origin, response_queue_uuid) => `
- const importScript = ${importScript};
- await importScript("/html/cross-origin-embedder-policy/credentialless" +
- "/resources/common.js");
- await importScript("/html/anonymous-iframe/resources/common.js");
- await importScript("/common/utils.js");
-
- // dispatcher.js has already been loaded by the popup this is running in.
- await send("${response_queue_uuid}", newIframe("${iframe_origin}"));
-`;
-
-const same_site_origin = get_host_info().HTTPS_ORIGIN;
-const cross_site_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
-
-async function create_test_iframes(t, response_queue_uuid) {
- assert_equals("https://" + window.location.host, same_site_origin,
- "this test assumes that the page's window.location.host corresponds to " +
- "get_host_info().HTTPS_ORIGIN");
-
- // Create a same-origin iframe in a cross-site popup.
- const not_same_site_popup_uuid = newPopup(t, cross_site_origin);
- await send(not_same_site_popup_uuid,
- add_iframe_js(same_site_origin, response_queue_uuid));
- const cross_site_iframe_uuid = await receive(response_queue_uuid);
-
- // Create a same-origin iframe in a same-site popup.
- const same_origin_popup_uuid = newPopup(t, same_site_origin);
- await send(same_origin_popup_uuid,
- add_iframe_js(same_site_origin, response_queue_uuid));
- const same_site_iframe_uuid = await receive(response_queue_uuid);
-
- return [cross_site_iframe_uuid, same_site_iframe_uuid];
-}
-
const can_create_blob_url_shared_worker_js = (blob_url, response_queue_name) => `
const worker = new SharedWorker("${blob_url}");
worker.onerror = (e) => {
diff --git a/testing/web-platform/tests/FileAPI/BlobURL/cross-partition.https.html b/testing/web-platform/tests/FileAPI/BlobURL/cross-partition.https.html
@@ -10,6 +10,7 @@
<script src="/html/cross-origin-embedder-policy/credentialless/resources/common.js"></script>
<!-- Pull in importScript / newPopup / newIframe -->
<script src="/html/anonymous-iframe/resources/common.js"></script>
+<script src="resources/common.js"></script>
<body>
<script>
@@ -65,39 +66,7 @@ const can_blob_url_be_fetched_js = (blob_url, response_queue_name) => `
await test();
`;
-const add_iframe_js = (iframe_origin, response_queue_uuid) => `
- const importScript = ${importScript};
- await importScript("/html/cross-origin-embedder-policy/credentialless" +
- "/resources/common.js");
- await importScript("/html/anonymous-iframe/resources/common.js");
- await importScript("/common/utils.js");
-
- // dispatcher.js has already been loaded by the popup this is running in.
- await send("${response_queue_uuid}", newIframe("${iframe_origin}"));
-`;
-
const same_site_origin = get_host_info().HTTPS_ORIGIN;
-const cross_site_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
-
-async function create_test_iframes(t, response_queue_uuid) {
- assert_equals("https://" + window.location.host, same_site_origin,
- "this test assumes that the page's window.location.host corresponds to " +
- "get_host_info().HTTPS_ORIGIN");
-
- // Create a same-origin iframe in a cross-site popup.
- const not_same_site_popup_uuid = newPopup(t, cross_site_origin);
- await send(not_same_site_popup_uuid,
- add_iframe_js(same_site_origin, response_queue_uuid));
- const cross_site_iframe_uuid = await receive(response_queue_uuid);
-
- // Create a same-origin iframe in a same-site popup.
- const same_origin_popup_uuid = newPopup(t, same_site_origin);
- await send(same_origin_popup_uuid,
- add_iframe_js(same_site_origin, response_queue_uuid));
- const same_site_iframe_uuid = await receive(response_queue_uuid);
-
- return [cross_site_iframe_uuid, same_site_iframe_uuid];
-}
// Tests revoking blob URL for same and cross partition iframes.
promise_test(t => {
diff --git a/testing/web-platform/tests/FileAPI/BlobURL/resources/common.js b/testing/web-platform/tests/FileAPI/BlobURL/resources/common.js
@@ -0,0 +1,33 @@
+const add_iframe_js = (iframe_origin, response_queue_uuid) => `
+ const importScript = ${importScript};
+ await importScript("/html/cross-origin-embedder-policy/credentialless" +
+ "/resources/common.js");
+ await importScript("/html/anonymous-iframe/resources/common.js");
+ await importScript("/common/utils.js");
+
+ // dispatcher.js has already been loaded by the popup this is running in.
+ await send("${response_queue_uuid}", newIframe("${iframe_origin}"));
+`;
+
+async function create_test_iframes(t, response_queue_uuid) {
+ const same_site_origin = get_host_info().HTTPS_ORIGIN;
+ const cross_site_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+ assert_equals("https://" + window.location.host, same_site_origin,
+ "this test assumes that the page's window.location.host corresponds to " +
+ "get_host_info().HTTPS_ORIGIN");
+
+ // Create a same-origin iframe in a cross-site popup.
+ const not_same_site_popup_uuid = newPopup(t, cross_site_origin);
+ await send(not_same_site_popup_uuid,
+ add_iframe_js(same_site_origin, response_queue_uuid));
+ const cross_site_iframe_uuid = await receive(response_queue_uuid);
+
+ // Create a same-origin iframe in a same-site popup.
+ const same_origin_popup_uuid = newPopup(t, same_site_origin);
+ await send(same_origin_popup_uuid,
+ add_iframe_js(same_site_origin, response_queue_uuid));
+ const same_site_iframe_uuid = await receive(response_queue_uuid);
+
+ return [cross_site_iframe_uuid, same_site_iframe_uuid];
+}
+\ No newline at end of file
diff --git a/testing/web-platform/tests/FileAPI/BlobURL/support/file_test2.txt b/testing/web-platform/tests/FileAPI/BlobURL/support/file_test2.txt
