preload-referrer-policy-subresource-header.tentative.html (3799B)
1 <!DOCTYPE html> 2 <meta charset=utf-8> 3 <meta name=variant content="?isCrossOriginPreload=true&isCrossOriginResource=true"> 4 <meta name=variant content="?isCrossOriginPreload=true&isCrossOriginResource=false"> 5 <meta name=variant content="?isCrossOriginPreload=false&isCrossOriginResource=true"> 6 <meta name=variant content="?isCrossOriginPreload=false&isCrossOriginResource=false"> 7 <title>The referrerpolicy attribute on Link header should be ignored for subresources</title> 8 <meta name="timeout" content="long"> 9 <script src="resources/dummy.js?link-header-preload2"></script> 10 <script src="/common/get-host-info.sub.js"></script> 11 <script src="/common/utils.js"></script> 12 <script src="/resources/testharness.js"></script> 13 <script src="/resources/testharnessreport.js"></script> 14 <script src="/preload/resources/preload_helper.js"></script> 15 <body> 16 <p>The referrerpolicy attribute on Link header should be ignored for subresources 17 to prevent cross-origin referrer leakage</p> 18 <script> 19 window.referrers = {}; 20 const {REMOTE_ORIGIN} = get_host_info(); 21 async function loader(t, {preloadPolicy, resourcePolicy, isCrossOriginResource, hrefUrl, hrefParams}) { 22 const img = document.createElement('img'); 23 const params = new URLSearchParams(); 24 params.set('href', `${hrefUrl}?${hrefParams.toString()}`); 25 if (preloadPolicy === '') 26 params.set('preload-policy', ''); 27 else 28 params.set('preload-policy', `referrerpolicy=${preloadPolicy}`); 29 params.set('resource-name', 'green.png'); 30 img.src = `${isCrossOriginResource ? REMOTE_ORIGIN : location.origin}/preload/resources/link-header-referrer-policy.py?${params.toString()}`; 31 img.referrerPolicy = resourcePolicy; 32 const preloaded = new Promise(resolve => img.addEventListener('load', resolve)); 33 t.add_cleanup(() => img.remove()); 34 document.body.appendChild(img); 35 await preloaded; 36 hrefParams.set('operation', 'take'); 37 const take_href = `${hrefUrl}?${hrefParams.toString()}`; 38 let actualReferrer; 39 for (let i = 0; i < 10; ++i) { 40 actualReferrer = await fetch(take_href).then(res => res.text()); 41 if (actualReferrer === '') { 42 // Preload request has not yet been received. Retry after timeout. 43 await new Promise(resolve => t.step_timeout(resolve, 100)); 44 } else { 45 break; 46 } 47 } 48 return {actualReferrer, unsafe: img.src}; 49 }; 50 51 function test_referrer_policy(preloadPolicy, resourcePolicy, isCrossOriginPreload, isCrossOriginResource) { 52 promise_test(async t => { 53 const id = token(); 54 const hrefUrl = `${isCrossOriginPreload ? REMOTE_ORIGIN : location.origin}/preload/resources/stash-referrer.py`; 55 const hrefParams = new URLSearchParams(); 56 hrefParams.set('key', id); 57 hrefParams.set('operation', 'put'); 58 const {actualReferrer, unsafe} = await loader(t, {preloadPolicy, resourcePolicy, isCrossOriginResource, hrefUrl, hrefParams}) 59 assert_equals(actualReferrer, 'NO-REFERER'); 60 }, `referrer policy (${preloadPolicy} -> ${resourcePolicy}, ${isCrossOriginPreload ? 'cross-origin' : 'same-origin'}, ${isCrossOriginResource ? 'cross-origin' : 'same-origin'})`) 61 } 62 const policies = [ 63 "", 64 "no-referrer", 65 "same-origin", 66 "origin", 67 "origin-when-cross-origin", 68 "strict-origin-when-cross-origin", 69 "unsafe-url"] 70 71 const params = new URLSearchParams(location.search); 72 const isCrossOriginPreload = params.get('isCrossOriginPreload') === 'true'; 73 const isCrossOriginResource = params.get('isCrossOriginResource') === 'true'; 74 for (const preloadPolicy of policies) { 75 for (const resourcePolicy of policies) { 76 test_referrer_policy( 77 preloadPolicy, 78 resourcePolicy, 79 isCrossOriginPreload, 80 isCrossOriginResource); 81 } 82 } 83 84 </script> 85 </body>