tor-browser

modulepreload-inline-referrerpolicy.html (3927B)

---

<!DOCTYPE html>
<html>
<head>
<title>Modulepreload Inline Referrer Policy Tests</title>
<meta name="author" title="Google" href="https://www.google.com/">
<link rel="help" href="https://html.spec.whatwg.org/multipage/links.html#link-type-modulepreload">
<link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/">
<meta name="assert" content="link rel=modulepreload respects the referrerpolicy attribute on inline elements">
<!--
 This test verifies that inline modulepreload elements (statically declared in HTML)
 correctly handle referrer policies. It tests:

 1. Default behavior (no referrerpolicy attribute) - should use origin or full URL depending on implementation
 2. origin referrerpolicy - should use only origin
 3. no-referrer referrerpolicy - should not send referrer
 4. Document-level referrer policy (via meta tag) - should be respected

 Unlike the other modulepreload referrer tests that create elements dynamically,
 this test uses inline link elements in the HTML.
-->
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
// Initialize the window.referrers object that will be used by echo-referrer.py
window.referrers = {};

// Create unique IDs for each test
const noReferrerPolicyId = Date.now();
const originPolicyId = Date.now() + 1;
const noReferrerId = Date.now() + 2;
const originId = Date.now() + 3;
</script>

<!-- Test with no referrerpolicy attribute (should use document default) -->
<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=NOPOLICY_ID">

<!-- Test with origin referrerpolicy attribute -->
<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=ORIGIN_ID" referrerpolicy="origin">

<!-- Test with no-referrer referrerpolicy attribute -->
<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=NOREFERRER_ID" referrerpolicy="no-referrer">

<!-- For document policy test, add meta tag for origin referrer policy -->
<meta name="referrer" content="origin">
<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=DOC_POLICY_ID">

<script>
// Replace placeholder IDs with actual IDs in the HTML
document.documentElement.innerHTML = document.documentElement.innerHTML
 .replace('NOPOLICY_ID', noReferrerPolicyId)
 .replace('ORIGIN_ID', originPolicyId)
 .replace('NOREFERRER_ID', noReferrerId)
 .replace('DOC_POLICY_ID', originId);
</script>
</head>
<body>
<script>
// Ensure modules are loaded by importing them
promise_test(async t => {
 await Promise.all([
   import(`/preload/resources/echo-referrer.py?uid=${noReferrerPolicyId}`),
   import(`/preload/resources/echo-referrer.py?uid=${originPolicyId}`),
   import(`/preload/resources/echo-referrer.py?uid=${noReferrerId}`),
   import(`/preload/resources/echo-referrer.py?uid=${originId}`)
 ]);

 // Test that module with no specified referrerpolicy
 // Note: Some implementations may send only origin for inline modulepreload requests
 const expectedDefault = location.origin + "/";
 assert_equals(window.referrers[noReferrerPolicyId], expectedDefault,
   "Modulepreload with no referrerpolicy should use expected referrer");

 // Test that module with origin referrerpolicy sends only origin
 assert_equals(window.referrers[originPolicyId], location.origin + "/",
   "Modulepreload with origin referrerpolicy should send origin only");

 // Test that module with no-referrer policy sends no referrer
 assert_equals(window.referrers[noReferrerId], "",
   "Modulepreload with no-referrer referrerpolicy should not send referrer");

 // Test that module with no policy but document policy uses document policy
 assert_equals(window.referrers[originId], location.origin + "/",
   "Modulepreload with no referrerpolicy should use document's policy");

}, "Inline modulepreload elements should respect the referrerpolicy attribute");
</script>
</body>
</html>