form-submission.sub.html (17799B)
1 <!DOCTYPE html> 2 <!-- 3 This test was procedurally generated. Please do not modify it directly. 4 Sources: 5 - fetch/metadata/tools/fetch-metadata.conf.yml 6 - fetch/metadata/tools/templates/form-submission.sub.html 7 --> 8 <html lang="en"> 9 <meta charset="utf-8"> 10 <meta name="timeout" content="long"> 11 <title>HTTP headers on request for HTML form navigation</title> 12 <script src="/resources/testharness.js"></script> 13 <script src="/resources/testharnessreport.js"></script> 14 <script src="/fetch/metadata/resources/helper.sub.js"></script> 15 <body> 16 <script> 17 'use strict'; 18 19 function induceRequest(method, url, userActivated) { 20 const windowName = String(Math.random()); 21 const form = document.createElement('form'); 22 const submit = document.createElement('input'); 23 submit.setAttribute('type', 'submit'); 24 form.appendChild(submit); 25 const win = open('about:blank', windowName); 26 form.setAttribute('method', method); 27 form.setAttribute('action', url); 28 form.setAttribute('target', windowName); 29 document.body.appendChild(form); 30 31 // Query parameters must be expressed as form values so that they are sent 32 // with the submission of forms whose method is POST. 33 Array.from(new URL(url, location.origin).searchParams) 34 .forEach(([name, value]) => { 35 const input = document.createElement('input'); 36 input.setAttribute('type', 'hidden'); 37 input.setAttribute('name', name); 38 input.setAttribute('value', value); 39 form.appendChild(input); 40 }); 41 42 return new Promise((resolve) => { 43 addEventListener('message', function(event) { 44 if (event.source === win) { 45 resolve(); 46 } 47 }); 48 49 if (userActivated) { 50 test_driver.click(submit); 51 } else { 52 submit.click(); 53 } 54 }) 55 .then(() => { 56 form.remove(); 57 win.close(); 58 }); 59 } 60 const responseParams = { 61 mime: 'text/html', 62 body: `<script>opener.postMessage('done', '*')</${''}script>` 63 }; 64 65 promise_test(() => { 66 const key = '{{uuid()}}'; 67 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 68 const userActivated = false; 69 return induceRequest('GET', url, userActivated) 70 .then(() => retrieve(key)) 71 .then((headers) => { 72 assert_not_own_property(headers, 'sec-fetch-site'); 73 }); 74 }, 'sec-fetch-site - Not sent to non-trustworthy same-origin destination - GET'); 75 76 promise_test(() => { 77 const key = '{{uuid()}}'; 78 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 79 const userActivated = false; 80 return induceRequest('POST', url, userActivated) 81 .then(() => retrieve(key)) 82 .then((headers) => { 83 assert_not_own_property(headers, 'sec-fetch-site'); 84 }); 85 }, 'sec-fetch-site - Not sent to non-trustworthy same-origin destination - POST'); 86 87 promise_test(() => { 88 const key = '{{uuid()}}'; 89 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 90 const userActivated = false; 91 return induceRequest('GET', url, userActivated) 92 .then(() => retrieve(key)) 93 .then((headers) => { 94 assert_not_own_property(headers, 'sec-fetch-site'); 95 }); 96 }, 'sec-fetch-site - Not sent to non-trustworthy same-site destination - GET'); 97 98 promise_test(() => { 99 const key = '{{uuid()}}'; 100 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 101 const userActivated = false; 102 return induceRequest('POST', url, userActivated) 103 .then(() => retrieve(key)) 104 .then((headers) => { 105 assert_not_own_property(headers, 'sec-fetch-site'); 106 }); 107 }, 'sec-fetch-site - Not sent to non-trustworthy same-site destination - POST'); 108 109 promise_test(() => { 110 const key = '{{uuid()}}'; 111 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 112 const userActivated = false; 113 return induceRequest('GET', url, userActivated) 114 .then(() => retrieve(key)) 115 .then((headers) => { 116 assert_not_own_property(headers, 'sec-fetch-site'); 117 }); 118 }, 'sec-fetch-site - Not sent to non-trustworthy cross-site destination - GET'); 119 120 promise_test(() => { 121 const key = '{{uuid()}}'; 122 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 123 const userActivated = false; 124 return induceRequest('POST', url, userActivated) 125 .then(() => retrieve(key)) 126 .then((headers) => { 127 assert_not_own_property(headers, 'sec-fetch-site'); 128 }); 129 }, 'sec-fetch-site - Not sent to non-trustworthy cross-site destination - POST'); 130 131 promise_test(() => { 132 const key = '{{uuid()}}'; 133 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 134 const userActivated = false; 135 return induceRequest('GET', url, userActivated) 136 .then(() => retrieve(key)) 137 .then((headers) => { 138 assert_not_own_property(headers, 'sec-fetch-mode'); 139 }); 140 }, 'sec-fetch-mode - Not sent to non-trustworthy same-origin destination - GET'); 141 142 promise_test(() => { 143 const key = '{{uuid()}}'; 144 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 145 const userActivated = false; 146 return induceRequest('POST', url, userActivated) 147 .then(() => retrieve(key)) 148 .then((headers) => { 149 assert_not_own_property(headers, 'sec-fetch-mode'); 150 }); 151 }, 'sec-fetch-mode - Not sent to non-trustworthy same-origin destination - POST'); 152 153 promise_test(() => { 154 const key = '{{uuid()}}'; 155 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 156 const userActivated = false; 157 return induceRequest('GET', url, userActivated) 158 .then(() => retrieve(key)) 159 .then((headers) => { 160 assert_not_own_property(headers, 'sec-fetch-mode'); 161 }); 162 }, 'sec-fetch-mode - Not sent to non-trustworthy same-site destination - GET'); 163 164 promise_test(() => { 165 const key = '{{uuid()}}'; 166 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 167 const userActivated = false; 168 return induceRequest('POST', url, userActivated) 169 .then(() => retrieve(key)) 170 .then((headers) => { 171 assert_not_own_property(headers, 'sec-fetch-mode'); 172 }); 173 }, 'sec-fetch-mode - Not sent to non-trustworthy same-site destination - POST'); 174 175 promise_test(() => { 176 const key = '{{uuid()}}'; 177 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 178 const userActivated = false; 179 return induceRequest('GET', url, userActivated) 180 .then(() => retrieve(key)) 181 .then((headers) => { 182 assert_not_own_property(headers, 'sec-fetch-mode'); 183 }); 184 }, 'sec-fetch-mode - Not sent to non-trustworthy cross-site destination - GET'); 185 186 promise_test(() => { 187 const key = '{{uuid()}}'; 188 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 189 const userActivated = false; 190 return induceRequest('POST', url, userActivated) 191 .then(() => retrieve(key)) 192 .then((headers) => { 193 assert_not_own_property(headers, 'sec-fetch-mode'); 194 }); 195 }, 'sec-fetch-mode - Not sent to non-trustworthy cross-site destination - POST'); 196 197 promise_test(() => { 198 const key = '{{uuid()}}'; 199 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 200 const userActivated = false; 201 return induceRequest('GET', url, userActivated) 202 .then(() => retrieve(key)) 203 .then((headers) => { 204 assert_not_own_property(headers, 'sec-fetch-dest'); 205 }); 206 }, 'sec-fetch-dest - Not sent to non-trustworthy same-origin destination - GET'); 207 208 promise_test(() => { 209 const key = '{{uuid()}}'; 210 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 211 const userActivated = false; 212 return induceRequest('POST', url, userActivated) 213 .then(() => retrieve(key)) 214 .then((headers) => { 215 assert_not_own_property(headers, 'sec-fetch-dest'); 216 }); 217 }, 'sec-fetch-dest - Not sent to non-trustworthy same-origin destination - POST'); 218 219 promise_test(() => { 220 const key = '{{uuid()}}'; 221 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 222 const userActivated = false; 223 return induceRequest('GET', url, userActivated) 224 .then(() => retrieve(key)) 225 .then((headers) => { 226 assert_not_own_property(headers, 'sec-fetch-dest'); 227 }); 228 }, 'sec-fetch-dest - Not sent to non-trustworthy same-site destination - GET'); 229 230 promise_test(() => { 231 const key = '{{uuid()}}'; 232 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 233 const userActivated = false; 234 return induceRequest('POST', url, userActivated) 235 .then(() => retrieve(key)) 236 .then((headers) => { 237 assert_not_own_property(headers, 'sec-fetch-dest'); 238 }); 239 }, 'sec-fetch-dest - Not sent to non-trustworthy same-site destination - POST'); 240 241 promise_test(() => { 242 const key = '{{uuid()}}'; 243 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 244 const userActivated = false; 245 return induceRequest('GET', url, userActivated) 246 .then(() => retrieve(key)) 247 .then((headers) => { 248 assert_not_own_property(headers, 'sec-fetch-dest'); 249 }); 250 }, 'sec-fetch-dest - Not sent to non-trustworthy cross-site destination - GET'); 251 252 promise_test(() => { 253 const key = '{{uuid()}}'; 254 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 255 const userActivated = false; 256 return induceRequest('POST', url, userActivated) 257 .then(() => retrieve(key)) 258 .then((headers) => { 259 assert_not_own_property(headers, 'sec-fetch-dest'); 260 }); 261 }, 'sec-fetch-dest - Not sent to non-trustworthy cross-site destination - POST'); 262 263 promise_test(() => { 264 const key = '{{uuid()}}'; 265 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 266 const userActivated = false; 267 return induceRequest('GET', url, userActivated) 268 .then(() => retrieve(key)) 269 .then((headers) => { 270 assert_not_own_property(headers, 'sec-fetch-user'); 271 }); 272 }, 'sec-fetch-user - Not sent to non-trustworthy same-origin destination - GET'); 273 274 promise_test(() => { 275 const key = '{{uuid()}}'; 276 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 277 const userActivated = false; 278 return induceRequest('POST', url, userActivated) 279 .then(() => retrieve(key)) 280 .then((headers) => { 281 assert_not_own_property(headers, 'sec-fetch-user'); 282 }); 283 }, 'sec-fetch-user - Not sent to non-trustworthy same-origin destination - POST'); 284 285 promise_test(() => { 286 const key = '{{uuid()}}'; 287 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 288 const userActivated = false; 289 return induceRequest('GET', url, userActivated) 290 .then(() => retrieve(key)) 291 .then((headers) => { 292 assert_not_own_property(headers, 'sec-fetch-user'); 293 }); 294 }, 'sec-fetch-user - Not sent to non-trustworthy same-site destination - GET'); 295 296 promise_test(() => { 297 const key = '{{uuid()}}'; 298 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 299 const userActivated = false; 300 return induceRequest('POST', url, userActivated) 301 .then(() => retrieve(key)) 302 .then((headers) => { 303 assert_not_own_property(headers, 'sec-fetch-user'); 304 }); 305 }, 'sec-fetch-user - Not sent to non-trustworthy same-site destination - POST'); 306 307 promise_test(() => { 308 const key = '{{uuid()}}'; 309 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 310 const userActivated = false; 311 return induceRequest('GET', url, userActivated) 312 .then(() => retrieve(key)) 313 .then((headers) => { 314 assert_not_own_property(headers, 'sec-fetch-user'); 315 }); 316 }, 'sec-fetch-user - Not sent to non-trustworthy cross-site destination - GET'); 317 318 promise_test(() => { 319 const key = '{{uuid()}}'; 320 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 321 const userActivated = false; 322 return induceRequest('POST', url, userActivated) 323 .then(() => retrieve(key)) 324 .then((headers) => { 325 assert_not_own_property(headers, 'sec-fetch-user'); 326 }); 327 }, 'sec-fetch-user - Not sent to non-trustworthy cross-site destination - POST'); 328 329 promise_test(() => { 330 const key = '{{uuid()}}'; 331 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 332 const userActivated = false; 333 return induceRequest('GET', url, userActivated) 334 .then(() => retrieve(key)) 335 .then((headers) => { 336 assert_not_own_property(headers, 'sec-fetch-storage-access'); 337 }); 338 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-origin destination - GET'); 339 340 promise_test(() => { 341 const key = '{{uuid()}}'; 342 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 343 const userActivated = false; 344 return induceRequest('POST', url, userActivated) 345 .then(() => retrieve(key)) 346 .then((headers) => { 347 assert_not_own_property(headers, 'sec-fetch-storage-access'); 348 }); 349 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-origin destination - POST'); 350 351 promise_test(() => { 352 const key = '{{uuid()}}'; 353 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 354 const userActivated = false; 355 return induceRequest('GET', url, userActivated) 356 .then(() => retrieve(key)) 357 .then((headers) => { 358 assert_not_own_property(headers, 'sec-fetch-storage-access'); 359 }); 360 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-site destination - GET'); 361 362 promise_test(() => { 363 const key = '{{uuid()}}'; 364 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 365 const userActivated = false; 366 return induceRequest('POST', url, userActivated) 367 .then(() => retrieve(key)) 368 .then((headers) => { 369 assert_not_own_property(headers, 'sec-fetch-storage-access'); 370 }); 371 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-site destination - POST'); 372 373 promise_test(() => { 374 const key = '{{uuid()}}'; 375 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 376 const userActivated = false; 377 return induceRequest('GET', url, userActivated) 378 .then(() => retrieve(key)) 379 .then((headers) => { 380 assert_not_own_property(headers, 'sec-fetch-storage-access'); 381 }); 382 }, 'sec-fetch-storage-access - Not sent to non-trustworthy cross-site destination - GET'); 383 384 promise_test(() => { 385 const key = '{{uuid()}}'; 386 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 387 const userActivated = false; 388 return induceRequest('POST', url, userActivated) 389 .then(() => retrieve(key)) 390 .then((headers) => { 391 assert_not_own_property(headers, 'sec-fetch-storage-access'); 392 }); 393 }, 'sec-fetch-storage-access - Not sent to non-trustworthy cross-site destination - POST'); 394 395 promise_test(() => { 396 const key = '{{uuid()}}'; 397 const url = makeRequestURL(key, ['httpsOrigin', 'httpOrigin'], responseParams); 398 const userActivated = false; 399 return induceRequest('GET', url, userActivated) 400 .then(() => retrieve(key)) 401 .then((headers) => { 402 assert_not_own_property(headers, 'sec-fetch-site'); 403 }); 404 }, 'sec-fetch-site - HTTPS downgrade (header not sent) - GET'); 405 406 promise_test(() => { 407 const key = '{{uuid()}}'; 408 const url = makeRequestURL(key, ['httpsOrigin', 'httpOrigin'], responseParams); 409 const userActivated = false; 410 return induceRequest('POST', url, userActivated) 411 .then(() => retrieve(key)) 412 .then((headers) => { 413 assert_not_own_property(headers, 'sec-fetch-site'); 414 }); 415 }, 'sec-fetch-site - HTTPS downgrade (header not sent) - POST'); 416 417 promise_test(() => { 418 const key = '{{uuid()}}'; 419 const url = makeRequestURL(key, ['httpOrigin', 'httpsOrigin'], responseParams); 420 const userActivated = false; 421 return induceRequest('GET', url, userActivated) 422 .then(() => retrieve(key)) 423 .then((headers) => { 424 assert_own_property(headers, 'sec-fetch-site'); 425 assert_array_equals(headers['sec-fetch-site'], ['cross-site']); 426 }); 427 }, 'sec-fetch-site - HTTPS upgrade - GET'); 428 429 promise_test(() => { 430 const key = '{{uuid()}}'; 431 const url = makeRequestURL(key, ['httpOrigin', 'httpsOrigin'], responseParams); 432 const userActivated = false; 433 return induceRequest('POST', url, userActivated) 434 .then(() => retrieve(key)) 435 .then((headers) => { 436 assert_own_property(headers, 'sec-fetch-site'); 437 assert_array_equals(headers['sec-fetch-site'], ['cross-site']); 438 }); 439 }, 'sec-fetch-site - HTTPS upgrade - POST'); 440 441 promise_test(() => { 442 const key = '{{uuid()}}'; 443 const url = makeRequestURL(key, ['httpsOrigin', 'httpOrigin', 'httpsOrigin'], responseParams); 444 const userActivated = false; 445 return induceRequest('GET', url, userActivated) 446 .then(() => retrieve(key)) 447 .then((headers) => { 448 assert_own_property(headers, 'sec-fetch-site'); 449 assert_array_equals(headers['sec-fetch-site'], ['cross-site']); 450 }); 451 }, 'sec-fetch-site - HTTPS downgrade-upgrade - GET'); 452 453 promise_test(() => { 454 const key = '{{uuid()}}'; 455 const url = makeRequestURL(key, ['httpsOrigin', 'httpOrigin', 'httpsOrigin'], responseParams); 456 const userActivated = false; 457 return induceRequest('POST', url, userActivated) 458 .then(() => retrieve(key)) 459 .then((headers) => { 460 assert_own_property(headers, 'sec-fetch-site'); 461 assert_array_equals(headers['sec-fetch-site'], ['cross-site']); 462 }); 463 }, 'sec-fetch-site - HTTPS downgrade-upgrade - POST'); 464 </script> 465 </body> 466 </html>