window-history.sub.html (16005B)
1 <!DOCTYPE html> 2 <!-- 3 This test was procedurally generated. Please do not modify it directly. 4 Sources: 5 - fetch/metadata/tools/fetch-metadata.conf.yml 6 - fetch/metadata/tools/templates/window-history.sub.html 7 --> 8 <html lang="en"> 9 <meta charset="utf-8"> 10 <meta name="timeout" content="long"> 11 <title>HTTP headers on request for navigation via the HTML History API</title> 12 <script src="/resources/testharness.js"></script> 13 <script src="/resources/testharnessreport.js"></script> 14 <script src="/fetch/metadata/resources/helper.sub.js"></script> 15 <body> 16 <script> 17 'use strict'; 18 19 const whenDone = (win) => { 20 return new Promise((resolve) => { 21 addEventListener('message', function handle(event) { 22 if (event.source === win) { 23 resolve(); 24 removeEventListener('message', handle); 25 } 26 }); 27 }) 28 }; 29 30 /** 31 * Prime the UA's session history such that the location of the request is 32 * immediately behind the current entry. Because the location may not be 33 * same-origin with the current browsing context, this must be done via a 34 * true navigation and not, e.g. the `history.pushState` API. The initial 35 * navigation will alter the WPT server's internal state; in order to avoid 36 * false positives, clear that state prior to initiating the second 37 * navigation via `history.back`. 38 */ 39 function induceBackRequest(url, test, clear) { 40 const win = window.open(url); 41 42 test.add_cleanup(() => win.close()); 43 44 return whenDone(win) 45 .then(clear) 46 .then(() => win.history.back()) 47 .then(() => whenDone(win)); 48 } 49 50 /** 51 * Prime the UA's session history such that the location of the request is 52 * immediately ahead of the current entry. Because the location may not be 53 * same-origin with the current browsing context, this must be done via a 54 * true navigation and not, e.g. the `history.pushState` API. The initial 55 * navigation will alter the WPT server's internal state; in order to avoid 56 * false positives, clear that state prior to initiating the second 57 * navigation via `history.forward`. 58 */ 59 function induceForwardRequest(url, test, clear) { 60 const win = window.open(messageOpenerUrl); 61 62 test.add_cleanup(() => win.close()); 63 64 return whenDone(win) 65 .then(() => win.location = url) 66 .then(() => whenDone(win)) 67 .then(clear) 68 .then(() => win.history.go(-2)) 69 .then(() => whenDone(win)) 70 .then(() => win.history.forward()) 71 .then(() => whenDone(win)); 72 } 73 74 const messageOpenerUrl = new URL( 75 '/fetch/metadata/resources/message-opener.html', location 76 ); 77 // For these tests to function, replacement must *not* be enabled during 78 // navigation. Assignment must therefore take place after the document has 79 // completely loaded [1]. This event is not directly observable, but it is 80 // scheduled as a task immediately following the global object's `load` 81 // event [2]. By queuing a task during the dispatch of the `load` event, 82 // navigation can be consistently triggered without replacement. 83 // 84 // [1] https://html.spec.whatwg.org/multipage/history.html#location-object-setter-navigate 85 // [2] https://html.spec.whatwg.org/multipage/parsing.html#the-end 86 const responseParams = { 87 mime: 'text/html', 88 body: `<script> 89 window.addEventListener('load', () => { 90 set`+`Timeout(() => location.assign('${messageOpenerUrl}')); 91 }); 92 <`+`/script>` 93 }; 94 95 promise_test((t) => { 96 const key = '{{uuid()}}'; 97 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 98 99 return induceBackRequest(url, t, () => retrieve(key)) 100 .then(() => retrieve(key)) 101 .then((headers) => { 102 assert_not_own_property(headers, 'sec-fetch-site'); 103 }); 104 }, 'sec-fetch-site - Not sent to non-trustworthy same-origin destination - history.back'); 105 106 promise_test((t) => { 107 const key = '{{uuid()}}'; 108 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 109 110 return induceForwardRequest(url, t, () => retrieve(key)) 111 .then(() => retrieve(key)) 112 .then((headers) => { 113 assert_not_own_property(headers, 'sec-fetch-site'); 114 }); 115 }, 'sec-fetch-site - Not sent to non-trustworthy same-origin destination - history.forward'); 116 117 promise_test((t) => { 118 const key = '{{uuid()}}'; 119 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 120 121 return induceBackRequest(url, t, () => retrieve(key)) 122 .then(() => retrieve(key)) 123 .then((headers) => { 124 assert_not_own_property(headers, 'sec-fetch-site'); 125 }); 126 }, 'sec-fetch-site - Not sent to non-trustworthy same-site destination - history.back'); 127 128 promise_test((t) => { 129 const key = '{{uuid()}}'; 130 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 131 132 return induceForwardRequest(url, t, () => retrieve(key)) 133 .then(() => retrieve(key)) 134 .then((headers) => { 135 assert_not_own_property(headers, 'sec-fetch-site'); 136 }); 137 }, 'sec-fetch-site - Not sent to non-trustworthy same-site destination - history.forward'); 138 139 promise_test((t) => { 140 const key = '{{uuid()}}'; 141 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 142 143 return induceBackRequest(url, t, () => retrieve(key)) 144 .then(() => retrieve(key)) 145 .then((headers) => { 146 assert_not_own_property(headers, 'sec-fetch-site'); 147 }); 148 }, 'sec-fetch-site - Not sent to non-trustworthy cross-site destination - history.back'); 149 150 promise_test((t) => { 151 const key = '{{uuid()}}'; 152 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 153 154 return induceForwardRequest(url, t, () => retrieve(key)) 155 .then(() => retrieve(key)) 156 .then((headers) => { 157 assert_not_own_property(headers, 'sec-fetch-site'); 158 }); 159 }, 'sec-fetch-site - Not sent to non-trustworthy cross-site destination - history.forward'); 160 161 promise_test((t) => { 162 const key = '{{uuid()}}'; 163 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 164 165 return induceBackRequest(url, t, () => retrieve(key)) 166 .then(() => retrieve(key)) 167 .then((headers) => { 168 assert_not_own_property(headers, 'sec-fetch-mode'); 169 }); 170 }, 'sec-fetch-mode - Not sent to non-trustworthy same-origin destination - history.back'); 171 172 promise_test((t) => { 173 const key = '{{uuid()}}'; 174 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 175 176 return induceForwardRequest(url, t, () => retrieve(key)) 177 .then(() => retrieve(key)) 178 .then((headers) => { 179 assert_not_own_property(headers, 'sec-fetch-mode'); 180 }); 181 }, 'sec-fetch-mode - Not sent to non-trustworthy same-origin destination - history.forward'); 182 183 promise_test((t) => { 184 const key = '{{uuid()}}'; 185 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 186 187 return induceBackRequest(url, t, () => retrieve(key)) 188 .then(() => retrieve(key)) 189 .then((headers) => { 190 assert_not_own_property(headers, 'sec-fetch-mode'); 191 }); 192 }, 'sec-fetch-mode - Not sent to non-trustworthy same-site destination - history.back'); 193 194 promise_test((t) => { 195 const key = '{{uuid()}}'; 196 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 197 198 return induceForwardRequest(url, t, () => retrieve(key)) 199 .then(() => retrieve(key)) 200 .then((headers) => { 201 assert_not_own_property(headers, 'sec-fetch-mode'); 202 }); 203 }, 'sec-fetch-mode - Not sent to non-trustworthy same-site destination - history.forward'); 204 205 promise_test((t) => { 206 const key = '{{uuid()}}'; 207 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 208 209 return induceBackRequest(url, t, () => retrieve(key)) 210 .then(() => retrieve(key)) 211 .then((headers) => { 212 assert_not_own_property(headers, 'sec-fetch-mode'); 213 }); 214 }, 'sec-fetch-mode - Not sent to non-trustworthy cross-site destination - history.back'); 215 216 promise_test((t) => { 217 const key = '{{uuid()}}'; 218 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 219 220 return induceForwardRequest(url, t, () => retrieve(key)) 221 .then(() => retrieve(key)) 222 .then((headers) => { 223 assert_not_own_property(headers, 'sec-fetch-mode'); 224 }); 225 }, 'sec-fetch-mode - Not sent to non-trustworthy cross-site destination - history.forward'); 226 227 promise_test((t) => { 228 const key = '{{uuid()}}'; 229 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 230 231 return induceBackRequest(url, t, () => retrieve(key)) 232 .then(() => retrieve(key)) 233 .then((headers) => { 234 assert_not_own_property(headers, 'sec-fetch-dest'); 235 }); 236 }, 'sec-fetch-dest - Not sent to non-trustworthy same-origin destination - history.back'); 237 238 promise_test((t) => { 239 const key = '{{uuid()}}'; 240 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 241 242 return induceForwardRequest(url, t, () => retrieve(key)) 243 .then(() => retrieve(key)) 244 .then((headers) => { 245 assert_not_own_property(headers, 'sec-fetch-dest'); 246 }); 247 }, 'sec-fetch-dest - Not sent to non-trustworthy same-origin destination - history.forward'); 248 249 promise_test((t) => { 250 const key = '{{uuid()}}'; 251 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 252 253 return induceBackRequest(url, t, () => retrieve(key)) 254 .then(() => retrieve(key)) 255 .then((headers) => { 256 assert_not_own_property(headers, 'sec-fetch-dest'); 257 }); 258 }, 'sec-fetch-dest - Not sent to non-trustworthy same-site destination - history.back'); 259 260 promise_test((t) => { 261 const key = '{{uuid()}}'; 262 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 263 264 return induceForwardRequest(url, t, () => retrieve(key)) 265 .then(() => retrieve(key)) 266 .then((headers) => { 267 assert_not_own_property(headers, 'sec-fetch-dest'); 268 }); 269 }, 'sec-fetch-dest - Not sent to non-trustworthy same-site destination - history.forward'); 270 271 promise_test((t) => { 272 const key = '{{uuid()}}'; 273 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 274 275 return induceBackRequest(url, t, () => retrieve(key)) 276 .then(() => retrieve(key)) 277 .then((headers) => { 278 assert_not_own_property(headers, 'sec-fetch-dest'); 279 }); 280 }, 'sec-fetch-dest - Not sent to non-trustworthy cross-site destination - history.back'); 281 282 promise_test((t) => { 283 const key = '{{uuid()}}'; 284 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 285 286 return induceForwardRequest(url, t, () => retrieve(key)) 287 .then(() => retrieve(key)) 288 .then((headers) => { 289 assert_not_own_property(headers, 'sec-fetch-dest'); 290 }); 291 }, 'sec-fetch-dest - Not sent to non-trustworthy cross-site destination - history.forward'); 292 293 promise_test((t) => { 294 const key = '{{uuid()}}'; 295 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 296 297 return induceBackRequest(url, t, () => retrieve(key)) 298 .then(() => retrieve(key)) 299 .then((headers) => { 300 assert_not_own_property(headers, 'sec-fetch-user'); 301 }); 302 }, 'sec-fetch-user - Not sent to non-trustworthy same-origin destination - history.back'); 303 304 promise_test((t) => { 305 const key = '{{uuid()}}'; 306 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 307 308 return induceForwardRequest(url, t, () => retrieve(key)) 309 .then(() => retrieve(key)) 310 .then((headers) => { 311 assert_not_own_property(headers, 'sec-fetch-user'); 312 }); 313 }, 'sec-fetch-user - Not sent to non-trustworthy same-origin destination - history.forward'); 314 315 promise_test((t) => { 316 const key = '{{uuid()}}'; 317 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 318 319 return induceBackRequest(url, t, () => retrieve(key)) 320 .then(() => retrieve(key)) 321 .then((headers) => { 322 assert_not_own_property(headers, 'sec-fetch-user'); 323 }); 324 }, 'sec-fetch-user - Not sent to non-trustworthy same-site destination - history.back'); 325 326 promise_test((t) => { 327 const key = '{{uuid()}}'; 328 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 329 330 return induceForwardRequest(url, t, () => retrieve(key)) 331 .then(() => retrieve(key)) 332 .then((headers) => { 333 assert_not_own_property(headers, 'sec-fetch-user'); 334 }); 335 }, 'sec-fetch-user - Not sent to non-trustworthy same-site destination - history.forward'); 336 337 promise_test((t) => { 338 const key = '{{uuid()}}'; 339 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 340 341 return induceBackRequest(url, t, () => retrieve(key)) 342 .then(() => retrieve(key)) 343 .then((headers) => { 344 assert_not_own_property(headers, 'sec-fetch-user'); 345 }); 346 }, 'sec-fetch-user - Not sent to non-trustworthy cross-site destination - history.back'); 347 348 promise_test((t) => { 349 const key = '{{uuid()}}'; 350 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 351 352 return induceForwardRequest(url, t, () => retrieve(key)) 353 .then(() => retrieve(key)) 354 .then((headers) => { 355 assert_not_own_property(headers, 'sec-fetch-user'); 356 }); 357 }, 'sec-fetch-user - Not sent to non-trustworthy cross-site destination - history.forward'); 358 359 promise_test((t) => { 360 const key = '{{uuid()}}'; 361 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 362 363 return induceBackRequest(url, t, () => retrieve(key)) 364 .then(() => retrieve(key)) 365 .then((headers) => { 366 assert_not_own_property(headers, 'sec-fetch-storage-access'); 367 }); 368 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-origin destination - history.back'); 369 370 promise_test((t) => { 371 const key = '{{uuid()}}'; 372 const url = makeRequestURL(key, ['httpOrigin'], responseParams); 373 374 return induceForwardRequest(url, t, () => retrieve(key)) 375 .then(() => retrieve(key)) 376 .then((headers) => { 377 assert_not_own_property(headers, 'sec-fetch-storage-access'); 378 }); 379 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-origin destination - history.forward'); 380 381 promise_test((t) => { 382 const key = '{{uuid()}}'; 383 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 384 385 return induceBackRequest(url, t, () => retrieve(key)) 386 .then(() => retrieve(key)) 387 .then((headers) => { 388 assert_not_own_property(headers, 'sec-fetch-storage-access'); 389 }); 390 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-site destination - history.back'); 391 392 promise_test((t) => { 393 const key = '{{uuid()}}'; 394 const url = makeRequestURL(key, ['httpSameSite'], responseParams); 395 396 return induceForwardRequest(url, t, () => retrieve(key)) 397 .then(() => retrieve(key)) 398 .then((headers) => { 399 assert_not_own_property(headers, 'sec-fetch-storage-access'); 400 }); 401 }, 'sec-fetch-storage-access - Not sent to non-trustworthy same-site destination - history.forward'); 402 403 promise_test((t) => { 404 const key = '{{uuid()}}'; 405 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 406 407 return induceBackRequest(url, t, () => retrieve(key)) 408 .then(() => retrieve(key)) 409 .then((headers) => { 410 assert_not_own_property(headers, 'sec-fetch-storage-access'); 411 }); 412 }, 'sec-fetch-storage-access - Not sent to non-trustworthy cross-site destination - history.back'); 413 414 promise_test((t) => { 415 const key = '{{uuid()}}'; 416 const url = makeRequestURL(key, ['httpCrossSite'], responseParams); 417 418 return induceForwardRequest(url, t, () => retrieve(key)) 419 .then(() => retrieve(key)) 420 .then((headers) => { 421 assert_not_own_property(headers, 'sec-fetch-storage-access'); 422 }); 423 }, 'sec-fetch-storage-access - Not sent to non-trustworthy cross-site destination - history.forward'); 424 </script> 425 </body> 426 </html>