fetch-metadata.conf.yml (34270B)
1 --- 2 templates: templates 3 output_directory: ../generated 4 cases: 5 - all_subtests: 6 expected: NULL 7 filename_flags: [] 8 common_axis: 9 - headerName: sec-fetch-site 10 origins: [httpOrigin] 11 description: Not sent to non-trustworthy same-origin destination 12 - headerName: sec-fetch-site 13 origins: [httpSameSite] 14 description: Not sent to non-trustworthy same-site destination 15 - headerName: sec-fetch-site 16 origins: [httpCrossSite] 17 description: Not sent to non-trustworthy cross-site destination 18 - headerName: sec-fetch-mode 19 origins: [httpOrigin] 20 description: Not sent to non-trustworthy same-origin destination 21 - headerName: sec-fetch-mode 22 origins: [httpSameSite] 23 description: Not sent to non-trustworthy same-site destination 24 - headerName: sec-fetch-mode 25 origins: [httpCrossSite] 26 description: Not sent to non-trustworthy cross-site destination 27 - headerName: sec-fetch-dest 28 origins: [httpOrigin] 29 description: Not sent to non-trustworthy same-origin destination 30 - headerName: sec-fetch-dest 31 origins: [httpSameSite] 32 description: Not sent to non-trustworthy same-site destination 33 - headerName: sec-fetch-dest 34 origins: [httpCrossSite] 35 description: Not sent to non-trustworthy cross-site destination 36 - headerName: sec-fetch-user 37 origins: [httpOrigin] 38 description: Not sent to non-trustworthy same-origin destination 39 - headerName: sec-fetch-user 40 origins: [httpSameSite] 41 description: Not sent to non-trustworthy same-site destination 42 - headerName: sec-fetch-user 43 origins: [httpCrossSite] 44 description: Not sent to non-trustworthy cross-site destination 45 - headerName: sec-fetch-storage-access 46 origins: [httpOrigin] 47 description: Not sent to non-trustworthy same-origin destination 48 - headerName: sec-fetch-storage-access 49 origins: [httpSameSite] 50 description: Not sent to non-trustworthy same-site destination 51 - headerName: sec-fetch-storage-access 52 origins: [httpCrossSite] 53 description: Not sent to non-trustworthy cross-site destination 54 template_axes: 55 # The `AudioWorklet` interface is only available in secure contexts 56 # https://webaudio.github.io/web-audio-api/#AudioWorklet 57 audioworklet.https.sub.html: [] 58 # Service workers are only available in secure context 59 fetch-via-serviceworker.https.sub.html: [] 60 # Service workers are only available in secure context 61 serviceworker.https.sub.html: [] 62 63 css-images.sub.html: 64 - filename_flags: [tentative] 65 css-font-face.sub.html: 66 - filename_flags: [tentative] 67 element-a.sub.html: [{}] 68 element-area.sub.html: [{}] 69 element-audio.sub.html: [{}] 70 element-embed.sub.html: [{}] 71 element-frame.sub.html: [{}] 72 element-iframe.sub.html: [{}] 73 element-img.sub.html: 74 - sourceAttr: src 75 - sourceAttr: srcset 76 element-img-environment-change.sub.html: [{}] 77 element-input-image.sub.html: [{}] 78 element-link-icon.sub.html: [{}] 79 element-link-prefetch.optional.sub.html: [{}] 80 element-meta-refresh.optional.sub.html: [{}] 81 element-picture.sub.html: [{}] 82 element-script.sub.html: 83 - {} 84 - elementAttrs: { type: module } 85 element-video.sub.html: [{}] 86 element-video-poster.sub.html: [{}] 87 fetch.sub.html: [{}] 88 form-submission.sub.html: 89 - method: GET 90 - method: POST 91 header-link.sub.html: 92 - rel: icon 93 - rel: stylesheet 94 header-refresh.optional.sub.html: [{}] 95 window-location.sub.html: [{}] 96 script-module-import-dynamic.sub.html: [{}] 97 script-module-import-static.sub.html: [{}] 98 script-json-module-import-static.sub.html: [{}] 99 svg-image.sub.html: [{}] 100 window-history.sub.html: [{}] 101 worker-dedicated-importscripts.sub.html: [{}] 102 # `new Worker()` only makes same-origin requests, therefore we split it 103 # out into the next block. 104 worker-dedicated-constructor.sub.html: [] 105 106 - all_subtests: 107 expected: NULL 108 filename_flags: [] 109 common_axis: 110 - headerName: sec-fetch-site 111 origins: [httpOrigin] 112 description: Not sent to non-trustworthy same-origin destination 113 - headerName: sec-fetch-mode 114 origins: [httpOrigin] 115 description: Not sent to non-trustworthy same-origin destination 116 - headerName: sec-fetch-dest 117 origins: [httpOrigin] 118 description: Not sent to non-trustworthy same-origin destination 119 - headerName: sec-fetch-user 120 origins: [httpOrigin] 121 description: Not sent to non-trustworthy same-origin destination 122 - headerName: sec-fetch-storage-access 123 origins: [httpOrigin] 124 description: Not sent to non-trustworthy same-origin destination 125 template_axes: 126 # All the templates in this block are unused with the exception of 127 # `worker-dedicated-constructor` 128 audioworklet.https.sub.html: [] 129 fetch-via-serviceworker.https.sub.html: [] 130 serviceworker.https.sub.html: [] 131 css-images.sub.html: [] 132 css-font-face.sub.html: [] 133 element-a.sub.html: [] 134 element-area.sub.html: [] 135 element-audio.sub.html: [] 136 element-embed.sub.html: [] 137 element-frame.sub.html: [] 138 element-iframe.sub.html: [] 139 element-img.sub.html: [] 140 element-img-environment-change.sub.html: [] 141 element-input-image.sub.html: [] 142 element-link-icon.sub.html: [] 143 element-link-prefetch.optional.sub.html: [] 144 element-meta-refresh.optional.sub.html: [] 145 element-picture.sub.html: [] 146 element-script.sub.html: [] 147 element-video.sub.html: [] 148 element-video-poster.sub.html: [] 149 fetch.sub.html: [] 150 form-submission.sub.html: [] 151 header-link.sub.html: [] 152 header-refresh.optional.sub.html: [] 153 window-location.sub.html: [] 154 script-module-import-dynamic.sub.html: [] 155 script-module-import-static.sub.html: [] 156 script-json-module-import-static.sub.html: [] 157 svg-image.sub.html: [] 158 window-history.sub.html: [] 159 worker-dedicated-importscripts.sub.html: [] 160 # `new Worker()` only makes same-origin requests, so we populate its 161 # generated tests here. 162 worker-dedicated-constructor.sub.html: [{}] 163 164 # Sec-Fetch-Site - direct requests 165 - all_subtests: 166 headerName: sec-fetch-site 167 filename_flags: [https] 168 common_axis: 169 - description: Same origin 170 origins: [httpsOrigin] 171 expected: same-origin 172 - description: Cross-site 173 origins: [httpsCrossSite] 174 expected: cross-site 175 - description: Same site 176 origins: [httpsSameSite] 177 expected: same-site 178 template_axes: 179 # Unused 180 # - the request mode of all "classic" worker scripts is set to 181 # "same-origin" 182 # https://html.spec.whatwg.org/#fetch-a-classic-worker-script 183 # - the request mode of all "top-level "module" worker scripts is set to 184 # "same-origin": 185 # https://html.spec.whatwg.org/#fetch-a-single-module-script 186 worker-dedicated-constructor.sub.html: [] 187 188 audioworklet.https.sub.html: [{}] 189 css-images.sub.html: 190 - filename_flags: [tentative] 191 css-font-face.sub.html: 192 - filename_flags: [tentative] 193 element-a.sub.html: [{}] 194 element-area.sub.html: [{}] 195 element-audio.sub.html: [{}] 196 element-embed.sub.html: [{}] 197 element-frame.sub.html: [{}] 198 element-iframe.sub.html: [{}] 199 element-img.sub.html: 200 - sourceAttr: src 201 - sourceAttr: srcset 202 element-img-environment-change.sub.html: [{}] 203 element-input-image.sub.html: [{}] 204 element-link-icon.sub.html: [{}] 205 element-link-prefetch.optional.sub.html: [{}] 206 element-meta-refresh.optional.sub.html: [{}] 207 element-picture.sub.html: [{}] 208 element-script.sub.html: 209 - {} 210 - elementAttrs: { type: module } 211 element-video.sub.html: [{}] 212 element-video-poster.sub.html: [{}] 213 fetch.sub.html: [{ init: { mode: no-cors } }] 214 fetch-via-serviceworker.https.sub.html: [{ init: { mode: no-cors } }] 215 form-submission.sub.html: 216 - method: GET 217 - method: POST 218 header-link.sub.html: 219 - rel: icon 220 - rel: stylesheet 221 header-refresh.optional.sub.html: [{}] 222 window-location.sub.html: [{}] 223 script-module-import-dynamic.sub.html: [{}] 224 script-module-import-static.sub.html: [{}] 225 script-json-module-import-static.sub.html: [{}] 226 serviceworker.https.sub.html: [{}] 227 svg-image.sub.html: [{}] 228 window-history.sub.html: [{}] 229 worker-dedicated-importscripts.sub.html: [{}] 230 231 # Sec-Fetch-Site - redirection from HTTP 232 - all_subtests: 233 headerName: sec-fetch-site 234 filename_flags: [] 235 common_axis: 236 - description: HTTPS downgrade (header not sent) 237 origins: [httpsOrigin, httpOrigin] 238 expected: NULL 239 - description: HTTPS upgrade 240 origins: [httpOrigin, httpsOrigin] 241 expected: cross-site 242 - description: HTTPS downgrade-upgrade 243 origins: [httpsOrigin, httpOrigin, httpsOrigin] 244 expected: cross-site 245 template_axes: 246 # Unused 247 # The `AudioWorklet` interface is only available in secure contexts 248 # https://webaudio.github.io/web-audio-api/#AudioWorklet 249 audioworklet.https.sub.html: [] 250 # Service workers are only available in secure context 251 fetch-via-serviceworker.https.sub.html: [] 252 # Service workers' redirect mode is "error" 253 serviceworker.https.sub.html: [] 254 # Interstitial locations in an HTTP redirect chain are not added to the 255 # session history, so these requests cannot be initiated using the 256 # History API. 257 window-history.sub.html: [] 258 # Unused 259 # - the request mode of all "classic" worker scripts is set to 260 # "same-origin" 261 # https://html.spec.whatwg.org/#fetch-a-classic-worker-script 262 # - the request mode of all "top-level "module" worker scripts is set to 263 # "same-origin": 264 # https://html.spec.whatwg.org/#fetch-a-single-module-script 265 worker-dedicated-constructor.sub.html: [] 266 267 css-images.sub.html: 268 - filename_flags: [tentative] 269 css-font-face.sub.html: 270 - filename_flags: [tentative] 271 element-a.sub.html: [{}] 272 element-area.sub.html: [{}] 273 element-audio.sub.html: [{}] 274 element-embed.sub.html: [{}] 275 element-frame.sub.html: [{}] 276 element-iframe.sub.html: [{}] 277 element-img.sub.html: 278 - sourceAttr: src 279 - sourceAttr: srcset 280 element-img-environment-change.sub.html: [{}] 281 element-input-image.sub.html: [{}] 282 element-link-icon.sub.html: [{}] 283 element-link-prefetch.optional.sub.html: [{}] 284 element-meta-refresh.optional.sub.html: [{}] 285 element-picture.sub.html: [{}] 286 element-script.sub.html: 287 - {} 288 - elementAttrs: { type: module } 289 element-video.sub.html: [{}] 290 element-video-poster.sub.html: [{}] 291 fetch.sub.html: [{}] 292 form-submission.sub.html: 293 - method: GET 294 - method: POST 295 header-link.sub.html: 296 - rel: icon 297 - rel: stylesheet 298 header-refresh.optional.sub.html: [{}] 299 window-location.sub.html: [{}] 300 script-module-import-dynamic.sub.html: [{}] 301 script-module-import-static.sub.html: [{}] 302 script-json-module-import-static.sub.html: [{}] 303 svg-image.sub.html: [{}] 304 worker-dedicated-importscripts.sub.html: [{}] 305 306 # Sec-Fetch-Site - redirection from HTTPS 307 - all_subtests: 308 headerName: sec-fetch-site 309 filename_flags: [https] 310 common_axis: 311 - description: Same-Origin -> Cross-Site -> Same-Origin redirect 312 origins: [httpsOrigin, httpsCrossSite, httpsOrigin] 313 expected: cross-site 314 - description: Same-Origin -> Same-Site -> Same-Origin redirect 315 origins: [httpsOrigin, httpsSameSite, httpsOrigin] 316 expected: same-site 317 - description: Cross-Site -> Same Origin 318 origins: [httpsCrossSite, httpsOrigin] 319 expected: cross-site 320 - description: Cross-Site -> Same-Site 321 origins: [httpsCrossSite, httpsSameSite] 322 expected: cross-site 323 - description: Cross-Site -> Cross-Site 324 origins: [httpsCrossSite, httpsCrossSite] 325 expected: cross-site 326 - description: Same-Origin -> Same Origin 327 origins: [httpsOrigin, httpsOrigin] 328 expected: same-origin 329 - description: Same-Origin -> Same-Site 330 origins: [httpsOrigin, httpsSameSite] 331 expected: same-site 332 - description: Same-Origin -> Cross-Site 333 origins: [httpsOrigin, httpsCrossSite] 334 expected: cross-site 335 - description: Same-Site -> Same Origin 336 origins: [httpsSameSite, httpsOrigin] 337 expected: same-site 338 - description: Same-Site -> Same-Site 339 origins: [httpsSameSite, httpsSameSite] 340 expected: same-site 341 - description: Same-Site -> Cross-Site 342 origins: [httpsSameSite, httpsCrossSite] 343 expected: cross-site 344 template_axes: 345 # Service Workers' redirect mode is "error" 346 serviceworker.https.sub.html: [] 347 # Interstitial locations in an HTTP redirect chain are not added to the 348 # session history, so these requests cannot be initiated using the 349 # History API. 350 window-history.sub.html: [] 351 # Unused 352 # - the request mode of all "classic" worker scripts is set to 353 # "same-origin" 354 # https://html.spec.whatwg.org/#fetch-a-classic-worker-script 355 # - the request mode of all "top-level "module" worker scripts is set to 356 # "same-origin": 357 # https://html.spec.whatwg.org/#fetch-a-single-module-script 358 worker-dedicated-constructor.sub.html: [] 359 360 audioworklet.https.sub.html: [{}] 361 css-images.sub.html: 362 - filename_flags: [tentative] 363 css-font-face.sub.html: 364 - filename_flags: [tentative] 365 element-a.sub.html: [{}] 366 element-area.sub.html: [{}] 367 element-audio.sub.html: [{}] 368 element-embed.sub.html: [{}] 369 element-frame.sub.html: [{}] 370 element-iframe.sub.html: [{}] 371 element-img.sub.html: 372 - sourceAttr: src 373 - sourceAttr: srcset 374 element-img-environment-change.sub.html: [{}] 375 element-input-image.sub.html: [{}] 376 element-link-icon.sub.html: [{}] 377 element-link-prefetch.optional.sub.html: [{}] 378 element-meta-refresh.optional.sub.html: [{}] 379 element-picture.sub.html: [{}] 380 element-script.sub.html: 381 - {} 382 - elementAttrs: { type: module } 383 element-video.sub.html: [{}] 384 element-video-poster.sub.html: [{}] 385 fetch.sub.html: [{ init: { mode: no-cors } }] 386 fetch-via-serviceworker.https.sub.html: [{ init: { mode: no-cors } }] 387 form-submission.sub.html: 388 - method: GET 389 - method: POST 390 header-link.sub.html: 391 - rel: icon 392 - rel: stylesheet 393 header-refresh.optional.sub.html: [{}] 394 window-location.sub.html: [{}] 395 script-module-import-dynamic.sub.html: [{}] 396 script-module-import-static.sub.html: [{}] 397 script-json-module-import-static.sub.html: [{}] 398 svg-image.sub.html: [{}] 399 worker-dedicated-importscripts.sub.html: [{}] 400 401 # Sec-Fetch-Site - redirection with mixed content 402 # These tests verify the effect that redirection has on the request's "site". 403 # The initial request must be made to a resource that is "same-site" with its 404 # origin. This avoids false positives because if the request were made to a 405 # cross-site resource, the value of "cross-site" would be assigned regardless 406 # of the subseqent redirection. 407 # 408 # Because these conditions necessarily warrant mixed content, only templates 409 # which can be configured to allow mixed content [1] can be used. 410 # 411 # [1] https://w3c.github.io/webappsec-mixed-content/#should-block-fetch 412 413 - common_axis: 414 - description: HTTPS downgrade-upgrade 415 headerName: sec-fetch-site 416 origins: [httpsOrigin, httpOrigin, httpsOrigin] 417 expected: cross-site 418 filename_flags: [https] 419 template_axes: 420 # Mixed Content considers only a small subset of requests as 421 # "optionally-blockable." These are the only requests that can be tested 422 # for the "downgrade-upgrade" scenario, so all other templates must be 423 # explicitly ignored. 424 audioworklet.https.sub.html: [] 425 css-font-face.sub.html: [] 426 element-embed.sub.html: [] 427 element-frame.sub.html: [] 428 element-iframe.sub.html: [] 429 element-img-environment-change.sub.html: [] 430 element-link-icon.sub.html: [] 431 element-link-prefetch.optional.sub.html: [] 432 element-picture.sub.html: [] 433 element-script.sub.html: [] 434 fetch.sub.html: [] 435 fetch-via-serviceworker.https.sub.html: [] 436 header-link.sub.html: [] 437 script-module-import-static.sub.html: [] 438 script-module-import-dynamic.sub.html: [] 439 script-json-module-import-static.sub.html: [] 440 # Service Workers' redirect mode is "error" 441 serviceworker.https.sub.html: [] 442 # Interstitial locations in an HTTP redirect chain are not added to the 443 # session history, so these requests cannot be initiated using the 444 # History API. 445 window-history.sub.html: [] 446 worker-dedicated-constructor.sub.html: [] 447 worker-dedicated-importscripts.sub.html: [] 448 # Avoid duplicate subtest for 'sec-fetch-site - HTTPS downgrade-upgrade' 449 css-images.sub.html: 450 - filename_flags: [tentative] 451 element-a.sub.html: [{}] 452 element-area.sub.html: [{}] 453 element-audio.sub.html: [{}] 454 element-img.sub.html: 455 # srcset omitted because it is not "optionally-blockable" 456 # https://w3c.github.io/webappsec-mixed-content/#category-optionally-blockable 457 - sourceAttr: src 458 element-input-image.sub.html: [{}] 459 element-meta-refresh.optional.sub.html: [{}] 460 element-video.sub.html: [{}] 461 element-video-poster.sub.html: [{}] 462 form-submission.sub.html: 463 - method: GET 464 - method: POST 465 header-refresh.optional.sub.html: [{}] 466 svg-image.sub.html: [{}] 467 window-location.sub.html: [{}] 468 469 # Sec-Fetch-Mode 470 # These tests are served over HTTPS so the induced requests will be both 471 # same-origin with the document [1] and a potentially-trustworthy URL [2]. 472 # 473 # [1] https://html.spec.whatwg.org/multipage/origin.html#same-origin 474 # [2] https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url 475 - common_axis: 476 - headerName: sec-fetch-mode 477 filename_flags: [https] 478 origins: [] 479 template_axes: 480 audioworklet.https.sub.html: 481 # https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-single-module-script 482 - expected: cors 483 css-images.sub.html: 484 - expected: no-cors 485 filename_flags: [tentative] 486 css-font-face.sub.html: 487 - expected: cors 488 filename_flags: [tentative] 489 element-a.sub.html: 490 - expected: navigate 491 # https://html.spec.whatwg.org/multipage/links.html#downloading-hyperlinks 492 - elementAttrs: {download: ''} 493 expected: no-cors 494 element-area.sub.html: 495 - expected: navigate 496 # https://html.spec.whatwg.org/multipage/links.html#downloading-hyperlinks 497 - elementAttrs: {download: ''} 498 expected: no-cors 499 element-audio.sub.html: 500 - expected: no-cors 501 - expected: cors 502 elementAttrs: { crossorigin: '' } 503 - expected: cors 504 elementAttrs: { crossorigin: anonymous } 505 - expected: cors 506 elementAttrs: { crossorigin: use-credentials } 507 element-embed.sub.html: 508 - expected: no-cors 509 element-frame.sub.html: 510 - expected: navigate 511 element-iframe.sub.html: 512 - expected: navigate 513 element-img.sub.html: 514 - sourceAttr: src 515 expected: no-cors 516 - sourceAttr: src 517 expected: cors 518 elementAttrs: { crossorigin: '' } 519 - sourceAttr: src 520 expected: cors 521 elementAttrs: { crossorigin: anonymous } 522 - sourceAttr: src 523 expected: cors 524 elementAttrs: { crossorigin: use-credentials } 525 - sourceAttr: srcset 526 expected: no-cors 527 - sourceAttr: srcset 528 expected: cors 529 elementAttrs: { crossorigin: '' } 530 - sourceAttr: srcset 531 expected: cors 532 elementAttrs: { crossorigin: anonymous } 533 - sourceAttr: srcset 534 expected: cors 535 elementAttrs: { crossorigin: use-credentials } 536 element-img-environment-change.sub.html: 537 - expected: no-cors 538 - expected: cors 539 elementAttrs: { crossorigin: '' } 540 - expected: cors 541 elementAttrs: { crossorigin: anonymous } 542 - expected: cors 543 elementAttrs: { crossorigin: use-credentials } 544 element-input-image.sub.html: 545 - expected: no-cors 546 element-link-icon.sub.html: 547 - expected: no-cors 548 - expected: cors 549 elementAttrs: { crossorigin: '' } 550 - expected: cors 551 elementAttrs: { crossorigin: anonymous } 552 - expected: cors 553 elementAttrs: { crossorigin: use-credentials } 554 element-link-prefetch.optional.sub.html: 555 - expected: no-cors 556 - expected: cors 557 elementAttrs: { crossorigin: '' } 558 - expected: cors 559 elementAttrs: { crossorigin: anonymous } 560 - expected: cors 561 elementAttrs: { crossorigin: use-credentials } 562 element-meta-refresh.optional.sub.html: 563 - expected: navigate 564 element-picture.sub.html: 565 - expected: no-cors 566 - expected: cors 567 elementAttrs: { crossorigin: '' } 568 - expected: cors 569 elementAttrs: { crossorigin: anonymous } 570 - expected: cors 571 elementAttrs: { crossorigin: use-credentials } 572 element-script.sub.html: 573 - expected: no-cors 574 - expected: cors 575 elementAttrs: { type: module } 576 - expected: cors 577 elementAttrs: { crossorigin: '' } 578 - expected: cors 579 elementAttrs: { crossorigin: anonymous } 580 - expected: cors 581 elementAttrs: { crossorigin: use-credentials } 582 element-video.sub.html: 583 - expected: no-cors 584 - expected: cors 585 elementAttrs: { crossorigin: '' } 586 - expected: cors 587 elementAttrs: { crossorigin: anonymous } 588 - expected: cors 589 elementAttrs: { crossorigin: use-credentials } 590 element-video-poster.sub.html: 591 - expected: no-cors 592 fetch.sub.html: 593 - expected: cors 594 - expected: cors 595 init: { mode: cors } 596 - expected: no-cors 597 init: { mode: no-cors } 598 - expected: same-origin 599 init: { mode: same-origin } 600 fetch-via-serviceworker.https.sub.html: 601 - expected: cors 602 - expected: cors 603 init: { mode: cors } 604 - expected: no-cors 605 init: { mode: no-cors } 606 - expected: same-origin 607 init: { mode: same-origin } 608 form-submission.sub.html: 609 - method: GET 610 expected: navigate 611 - method: POST 612 expected: navigate 613 header-link.sub.html: 614 - rel: icon 615 expected: no-cors 616 - rel: stylesheet 617 expected: no-cors 618 header-refresh.optional.sub.html: 619 - expected: navigate 620 window-history.sub.html: 621 - expected: navigate 622 window-location.sub.html: 623 - expected: navigate 624 script-module-import-dynamic.sub.html: 625 - expected: cors 626 script-module-import-static.sub.html: 627 - expected: cors 628 script-json-module-import-static.sub.html: 629 - expected: cors 630 # https://svgwg.org/svg2-draft/linking.html#processingURL-fetch 631 svg-image.sub.html: 632 - expected: no-cors 633 - expected: cors 634 elementAttrs: { crossorigin: '' } 635 - expected: cors 636 elementAttrs: { crossorigin: anonymous } 637 - expected: cors 638 elementAttrs: { crossorigin: use-credentials } 639 serviceworker.https.sub.html: 640 - expected: same-origin 641 options: { type: 'classic' } 642 # https://github.com/whatwg/html/pull/5875 643 - expected: same-origin 644 worker-dedicated-constructor.sub.html: 645 - expected: same-origin 646 - options: { type: module } 647 expected: same-origin 648 worker-dedicated-importscripts.sub.html: 649 - expected: no-cors 650 651 # Sec-Fetch-Dest 652 - common_axis: 653 - headerName: sec-fetch-dest 654 filename_flags: [https] 655 origins: [] 656 template_axes: 657 audioworklet.https.sub.html: 658 # https://github.com/WebAudio/web-audio-api/issues/2203 659 - expected: audioworklet 660 css-images.sub.html: 661 - expected: image 662 filename_flags: [tentative] 663 css-font-face.sub.html: 664 - expected: font 665 filename_flags: [tentative] 666 element-a.sub.html: 667 - expected: document 668 # https://html.spec.whatwg.org/multipage/links.html#downloading-hyperlinks 669 - elementAttrs: {download: ''} 670 expected: empty 671 element-area.sub.html: 672 - expected: document 673 # https://html.spec.whatwg.org/multipage/links.html#downloading-hyperlinks 674 - elementAttrs: {download: ''} 675 expected: empty 676 element-audio.sub.html: 677 - expected: audio 678 element-embed.sub.html: 679 - expected: embed 680 element-frame.sub.html: 681 # https://github.com/whatwg/html/pull/4976 682 - expected: frame 683 element-iframe.sub.html: 684 # https://github.com/whatwg/html/pull/4976 685 - expected: iframe 686 element-img.sub.html: 687 - sourceAttr: src 688 expected: image 689 - sourceAttr: srcset 690 expected: image 691 element-img-environment-change.sub.html: 692 - expected: image 693 element-input-image.sub.html: 694 - expected: image 695 element-link-icon.sub.html: 696 - expected: empty 697 element-link-prefetch.optional.sub.html: 698 - expected: empty 699 - elementAttrs: { as: audio } 700 expected: audio 701 - elementAttrs: { as: document } 702 expected: document 703 - elementAttrs: { as: embed } 704 expected: embed 705 - elementAttrs: { as: fetch } 706 expected: fetch 707 - elementAttrs: { as: font } 708 expected: font 709 - elementAttrs: { as: image } 710 expected: image 711 - elementAttrs: { as: object } 712 expected: object 713 - elementAttrs: { as: script } 714 expected: script 715 - elementAttrs: { as: style } 716 expected: style 717 - elementAttrs: { as: track } 718 expected: track 719 - elementAttrs: { as: video } 720 expected: video 721 - elementAttrs: { as: worker } 722 expected: worker 723 element-meta-refresh.optional.sub.html: 724 - expected: document 725 element-picture.sub.html: 726 - expected: image 727 element-script.sub.html: 728 - expected: script 729 element-video.sub.html: 730 - expected: video 731 element-video-poster.sub.html: 732 - expected: image 733 fetch.sub.html: 734 - expected: empty 735 fetch-via-serviceworker.https.sub.html: 736 - expected: empty 737 form-submission.sub.html: 738 - method: GET 739 expected: document 740 - method: POST 741 expected: document 742 header-link.sub.html: 743 - rel: icon 744 expected: empty 745 - rel: stylesheet 746 filename_flags: [tentative] 747 expected: style 748 header-refresh.optional.sub.html: 749 - expected: document 750 window-history.sub.html: 751 - expected: document 752 window-location.sub.html: 753 - expected: document 754 script-module-import-dynamic.sub.html: 755 - expected: script 756 script-module-import-static.sub.html: 757 - expected: script 758 script-json-module-import-static.sub.html: 759 - expected: json 760 serviceworker.https.sub.html: 761 - expected: serviceworker 762 # Implemented as "image" in Chromium and Firefox, but specified as 763 # "empty" 764 # https://github.com/w3c/svgwg/issues/782 765 svg-image.sub.html: 766 - expected: empty 767 worker-dedicated-constructor.sub.html: 768 - expected: worker 769 - options: { type: module } 770 expected: worker 771 worker-dedicated-importscripts.sub.html: 772 - expected: script 773 774 # Sec-Fetch-User 775 - common_axis: 776 - headerName: sec-fetch-user 777 filename_flags: [https] 778 origins: [] 779 template_axes: 780 audioworklet.https.sub.html: 781 - expected: NULL 782 css-images.sub.html: 783 - expected: NULL 784 filename_flags: [tentative] 785 css-font-face.sub.html: 786 - expected: NULL 787 filename_flags: [tentative] 788 element-a.sub.html: 789 - expected: NULL 790 - userActivated: TRUE 791 expected: ?1 792 element-area.sub.html: 793 - expected: NULL 794 - userActivated: TRUE 795 expected: ?1 796 element-audio.sub.html: 797 - expected: NULL 798 element-embed.sub.html: 799 - expected: NULL 800 element-frame.sub.html: 801 - expected: NULL 802 - userActivated: TRUE 803 expected: ?1 804 element-iframe.sub.html: 805 - expected: NULL 806 - userActivated: TRUE 807 expected: ?1 808 element-img.sub.html: 809 - sourceAttr: src 810 expected: NULL 811 - sourceAttr: srcset 812 expected: NULL 813 element-img-environment-change.sub.html: 814 - expected: NULL 815 element-input-image.sub.html: 816 - expected: NULL 817 element-link-icon.sub.html: 818 - expected: NULL 819 element-link-prefetch.optional.sub.html: 820 - expected: NULL 821 element-meta-refresh.optional.sub.html: 822 - expected: NULL 823 element-picture.sub.html: 824 - expected: NULL 825 element-script.sub.html: 826 - expected: NULL 827 element-video.sub.html: 828 - expected: NULL 829 element-video-poster.sub.html: 830 - expected: NULL 831 fetch.sub.html: 832 - expected: NULL 833 fetch-via-serviceworker.https.sub.html: 834 - expected: NULL 835 form-submission.sub.html: 836 - method: GET 837 expected: NULL 838 - method: GET 839 userActivated: TRUE 840 expected: ?1 841 - method: POST 842 expected: NULL 843 - method: POST 844 userActivated: TRUE 845 expected: ?1 846 header-link.sub.html: 847 - rel: icon 848 expected: NULL 849 - rel: stylesheet 850 expected: NULL 851 header-refresh.optional.sub.html: 852 - expected: NULL 853 window-history.sub.html: 854 - expected: NULL 855 window-location.sub.html: 856 - expected: NULL 857 - userActivated: TRUE 858 expected: ?1 859 script-module-import-dynamic.sub.html: 860 - expected: NULL 861 script-module-import-static.sub.html: 862 - expected: NULL 863 script-json-module-import-static.sub.html: 864 - expected: NULL 865 serviceworker.https.sub.html: 866 - expected: NULL 867 svg-image.sub.html: 868 - expected: NULL 869 worker-dedicated-constructor.sub.html: 870 - expected: NULL 871 - options: { type: module } 872 expected: NULL 873 worker-dedicated-importscripts.sub.html: 874 - expected: NULL 875 # Sec-Fetch-Storage-Access 876 - all_subtests: 877 headerName: sec-fetch-storage-access 878 filename_flags: [https] 879 common_axis: 880 - description: Cross-site 881 origins: [httpsCrossSite] 882 expected: none 883 - description: Same site 884 origins: [httpsSameSite] 885 expected: NULL 886 template_axes: 887 # Service Workers' redirect mode is "error" 888 serviceworker.https.sub.html: [{}] 889 # Interstitial locations in an HTTP redirect chain are not added to the 890 # session history, so these requests cannot be initiated using the 891 # History API. 892 css-images.sub.html: 893 - filename_flags: [tentative] 894 element-audio.sub.html: [{}] 895 element-embed.sub.html: [{}] 896 element-frame.sub.html: [{}] 897 element-iframe.sub.html: [{}] 898 element-img.sub.html: 899 - sourceAttr: src 900 - sourceAttr: srcset 901 element-img-environment-change.sub.html: [{}] 902 element-input-image.sub.html: [{}] 903 element-link-icon.sub.html: [{}] 904 element-link-prefetch.optional.sub.html: [{}] 905 element-picture.sub.html: [{}] 906 element-script.sub.html: [{}] 907 element-video.sub.html: [{}] 908 element-video-poster.sub.html: [{}] 909 fetch.sub.html: [{ init: { mode: no-cors , credentials: include } }] 910 fetch-via-serviceworker.https.sub.html: [{ init: { mode: no-cors , credentials: include } }] 911 header-link.sub.html: 912 - rel: icon 913 - rel: stylesheet 914 svg-image.sub.html: [{}] 915 worker-dedicated-constructor.sub.html: [] 916 worker-dedicated-importscripts.sub.html: [{}] 917 # The following are cases where the Sec-Fetch-Storage-Access header should 918 # not be attached at all. 919 - all_subtests: 920 headerName: sec-fetch-storage-access 921 filename_flags: [https] 922 common_axis: 923 - description: Cross-site 924 origins: [httpsCrossSite] 925 expected: NULL 926 - description: Same site 927 origins: [httpsSameSite] 928 expected: NULL 929 template_axes: 930 audioworklet.https.sub.html: [{}] 931 css-font-face.sub.html: 932 - filename_flags: [tentative] 933 element-meta-refresh.optional.sub.html: [{}] 934 element-a.sub.html: [{}] 935 element-area.sub.html: [{}] 936 form-submission.sub.html: 937 - method: GET 938 - method: POST 939 header-refresh.optional.sub.html: [{}] 940 script-module-import-dynamic.sub.html: [{}] 941 script-module-import-static.sub.html: [{}] 942 window-history.sub.html: [{}] 943 window-location.sub.html: [{}]