element-embed.sub.html (7348B)
1 <!DOCTYPE html> 2 <!-- 3 This test was procedurally generated. Please do not modify it directly. 4 Sources: 5 - fetch/metadata/tools/fetch-metadata.conf.yml 6 - fetch/metadata/tools/templates/element-embed.sub.html 7 --> 8 <html lang="en"> 9 <meta charset="utf-8"> 10 <title>HTTP headers on request for HTML "embed" element source</title> 11 <script src="/resources/testharness.js"></script> 12 <script src="/resources/testharnessreport.js"></script> 13 <script src="/fetch/metadata/resources/helper.sub.js"></script> 14 <body> 15 <script> 16 'use strict'; 17 18 const params = { 19 body: ` 20 <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123"> 21 <rect fill="lime" width="123" height="123"/> 22 </svg> 23 `, 24 mime: 'image/svg+xml' 25 }; 26 27 function induceRequest(t, url) { 28 const embed = document.createElement('embed'); 29 embed.setAttribute('src', url); 30 document.body.appendChild(embed); 31 32 t.add_cleanup(() => embed.remove()); 33 34 return new Promise((resolve) => embed.addEventListener('load', resolve)); 35 } 36 37 promise_test((t) => { 38 const key = '{{uuid()}}'; 39 40 return induceRequest(t, makeRequestURL(key, ['httpOrigin'], params)) 41 .then(() => retrieve(key)) 42 .then((headers) => { 43 assert_not_own_property(headers, 'sec-fetch-site'); 44 }); 45 }, 'sec-fetch-site - Not sent to non-trustworthy same-origin destination'); 46 47 promise_test((t) => { 48 const key = '{{uuid()}}'; 49 50 return induceRequest(t, makeRequestURL(key, ['httpSameSite'], params)) 51 .then(() => retrieve(key)) 52 .then((headers) => { 53 assert_not_own_property(headers, 'sec-fetch-site'); 54 }); 55 }, 'sec-fetch-site - Not sent to non-trustworthy same-site destination'); 56 57 promise_test((t) => { 58 const key = '{{uuid()}}'; 59 60 return induceRequest(t, makeRequestURL(key, ['httpCrossSite'], params)) 61 .then(() => retrieve(key)) 62 .then((headers) => { 63 assert_not_own_property(headers, 'sec-fetch-site'); 64 }); 65 }, 'sec-fetch-site - Not sent to non-trustworthy cross-site destination'); 66 67 promise_test((t) => { 68 const key = '{{uuid()}}'; 69 70 return induceRequest(t, makeRequestURL(key, ['httpOrigin'], params)) 71 .then(() => retrieve(key)) 72 .then((headers) => { 73 assert_not_own_property(headers, 'sec-fetch-mode'); 74 }); 75 }, 'sec-fetch-mode - Not sent to non-trustworthy same-origin destination'); 76 77 promise_test((t) => { 78 const key = '{{uuid()}}'; 79 80 return induceRequest(t, makeRequestURL(key, ['httpSameSite'], params)) 81 .then(() => retrieve(key)) 82 .then((headers) => { 83 assert_not_own_property(headers, 'sec-fetch-mode'); 84 }); 85 }, 'sec-fetch-mode - Not sent to non-trustworthy same-site destination'); 86 87 promise_test((t) => { 88 const key = '{{uuid()}}'; 89 90 return induceRequest(t, makeRequestURL(key, ['httpCrossSite'], params)) 91 .then(() => retrieve(key)) 92 .then((headers) => { 93 assert_not_own_property(headers, 'sec-fetch-mode'); 94 }); 95 }, 'sec-fetch-mode - Not sent to non-trustworthy cross-site destination'); 96 97 promise_test((t) => { 98 const key = '{{uuid()}}'; 99 100 return induceRequest(t, makeRequestURL(key, ['httpOrigin'], params)) 101 .then(() => retrieve(key)) 102 .then((headers) => { 103 assert_not_own_property(headers, 'sec-fetch-dest'); 104 }); 105 }, 'sec-fetch-dest - Not sent to non-trustworthy same-origin destination'); 106 107 promise_test((t) => { 108 const key = '{{uuid()}}'; 109 110 return induceRequest(t, makeRequestURL(key, ['httpSameSite'], params)) 111 .then(() => retrieve(key)) 112 .then((headers) => { 113 assert_not_own_property(headers, 'sec-fetch-dest'); 114 }); 115 }, 'sec-fetch-dest - Not sent to non-trustworthy same-site destination'); 116 117 promise_test((t) => { 118 const key = '{{uuid()}}'; 119 120 return induceRequest(t, makeRequestURL(key, ['httpCrossSite'], params)) 121 .then(() => retrieve(key)) 122 .then((headers) => { 123 assert_not_own_property(headers, 'sec-fetch-dest'); 124 }); 125 }, 'sec-fetch-dest - Not sent to non-trustworthy cross-site destination'); 126 127 promise_test((t) => { 128 const key = '{{uuid()}}'; 129 130 return induceRequest(t, makeRequestURL(key, ['httpOrigin'], params)) 131 .then(() => retrieve(key)) 132 .then((headers) => { 133 assert_not_own_property(headers, 'sec-fetch-user'); 134 }); 135 }, 'sec-fetch-user - Not sent to non-trustworthy same-origin destination'); 136 137 promise_test((t) => { 138 const key = '{{uuid()}}'; 139 140 return induceRequest(t, makeRequestURL(key, ['httpSameSite'], params)) 141 .then(() => retrieve(key)) 142 .then((headers) => { 143 assert_not_own_property(headers, 'sec-fetch-user'); 144 }); 145 }, 'sec-fetch-user - Not sent to non-trustworthy same-site destination'); 146 147 promise_test((t) => { 148 const key = '{{uuid()}}'; 149 150 return induceRequest(t, makeRequestURL(key, ['httpCrossSite'], params)) 151 .then(() => retrieve(key)) 152 .then((headers) => { 153 assert_not_own_property(headers, 'sec-fetch-user'); 154 }); 155 }, 'sec-fetch-user - Not sent to non-trustworthy cross-site destination'); 156 157 promise_test((t) => { 158 const key = '{{uuid()}}'; 159 160 return induceRequest(t, makeRequestURL(key, ['httpOrigin'], params)) 161 .then(() => retrieve(key)) 162 .then((headers) => { 163 assert_not_own_property(headers, 'sec-fetch-storage-access'); 164 }); 165 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-origin destination'); 166 167 promise_test((t) => { 168 const key = '{{uuid()}}'; 169 170 return induceRequest(t, makeRequestURL(key, ['httpSameSite'], params)) 171 .then(() => retrieve(key)) 172 .then((headers) => { 173 assert_not_own_property(headers, 'sec-fetch-storage-access'); 174 }); 175 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-site destination'); 176 177 promise_test((t) => { 178 const key = '{{uuid()}}'; 179 180 return induceRequest(t, makeRequestURL(key, ['httpCrossSite'], params)) 181 .then(() => retrieve(key)) 182 .then((headers) => { 183 assert_not_own_property(headers, 'sec-fetch-storage-access'); 184 }); 185 }, 'sec-fetch-storage-access - Not sent to non-trustworthy cross-site destination'); 186 187 promise_test((t) => { 188 const key = '{{uuid()}}'; 189 190 return induceRequest(t, makeRequestURL(key, ['httpsOrigin', 'httpOrigin'], params)) 191 .then(() => retrieve(key)) 192 .then((headers) => { 193 assert_not_own_property(headers, 'sec-fetch-site'); 194 }); 195 }, 'sec-fetch-site - HTTPS downgrade (header not sent)'); 196 197 promise_test((t) => { 198 const key = '{{uuid()}}'; 199 200 return induceRequest(t, makeRequestURL(key, ['httpOrigin', 'httpsOrigin'], params)) 201 .then(() => retrieve(key)) 202 .then((headers) => { 203 assert_own_property(headers, 'sec-fetch-site'); 204 assert_array_equals(headers['sec-fetch-site'], ['cross-site']); 205 }); 206 }, 'sec-fetch-site - HTTPS upgrade'); 207 208 promise_test((t) => { 209 const key = '{{uuid()}}'; 210 211 return induceRequest(t, makeRequestURL(key, ['httpsOrigin', 'httpOrigin', 'httpsOrigin'], params)) 212 .then(() => retrieve(key)) 213 .then((headers) => { 214 assert_own_property(headers, 'sec-fetch-site'); 215 assert_array_equals(headers['sec-fetch-site'], ['cross-site']); 216 }); 217 }, 'sec-fetch-site - HTTPS downgrade-upgrade'); 218 </script> 219 </body> 220 </html>