commit cea43a24d73eb87b8594d28d911c43f4300218ce
parent 6eaaf13ba3d0e8be84e0f5e4ba2430523dc04019
Author: Mike West <mkwst@chromium.org>
Date: Mon, 27 Oct 2025 10:07:10 +0000
Bug 1995891 [wpt PR 55607] - [Connection-Allowlist] Enforce allowlist on fetches in Blink., a=testonly
Automatic update from web-platform-tests
[Connection-Allowlist] Enforce allowlist on fetches in Blink.
This CL uses the `network::ConnectionAllowlist` on a document's Policy
Container to evaluate requests running through BaseFetchContext. This
covers `fetch()` and a good number of explicit resource requests inside
Blink. There's still quite a bit of ground to cover though: this CL
really just finishes the scaffolding that we'll build upon going
forward.
This is one in a series of CLs to prototype the mechanism:
1. https://crrev.com/c/6985001 - Data structure and parsing.
2. https://crrev.com/c/7071008 - Add allowlists to ParsedHeaders.
3. https://crrev.com/c/7072371 - Store allowlists on PolicyContainer.
4. https://crrev.com/c/7072352 - [You are here.]
5. https://crrev.com/c/7073851 - about:flags.
Bug: 447954811
Change-Id: Ie7174620e3906e48af6394a3c34a68d079171a07
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7072352
Reviewed-by: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Kent Tamura <tkent@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1534827}
--
wpt-commits: 2b9ba90bc0bf8132c7888a186ea999e5af5bfa1b
wpt-pr: 55607
Diffstat:
2 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/testing/web-platform/tests/connection-allowlist/tentative/fetch.window.js b/testing/web-platform/tests/connection-allowlist/tentative/fetch.window.js
@@ -0,0 +1,13 @@
+// META: script=/common/get-host-info.sub.js
+//
+// The following tests assume the policy `Connection-Allowlist: (response-origin)` has been set.
+
+promise_test(async t => {
+ const r = await fetch("/common/blank-with-cors.html", { mode: "cors", credential: "omit" });
+ assert_equals(r.status, 200);
+}, "Same-origin fetches succeed when `response-origin` is specified.");
+
+promise_test(async t => {
+ const fetcher = fetch(get_host_info().HTTPS_REMOTE_ORIGIN + "/common/blank-with-cors.html", { mode: "cors", credential: "omit" });
+ return promise_rejects_js(t, TypeError, fetcher);
+}, "Cross-origin fetches fail when `response-origin` is specified.");
diff --git a/testing/web-platform/tests/connection-allowlist/tentative/fetch.window.js.headers b/testing/web-platform/tests/connection-allowlist/tentative/fetch.window.js.headers
@@ -0,0 +1 @@
+Connection-Allowlist: (response-origin)
