spec.src.json (34568B)
1 { 2 "test_description_template": "Referrer Policy: Expects %(expectation)s for %(subresource)s to %(origin)s origin and %(redirection)s redirection from %(source_scheme)s context.", 3 "test_page_title_template": "Referrer-Policy: %(title)s", 4 "specification": [ 5 { 6 // unset-referrer-policy 7 "title": "Referrer Policy is not explicitly defined", 8 "description": "Check that referrer URL follows the strict-origin-when-cross-origin policy when no explicit Referrer Policy is set.", 9 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policies", 10 "test_expansion": [ 11 { 12 // same-insecure 13 "expansion": "default", 14 "source_scheme": "http", 15 "source_context_list": "*", 16 "delivery_type": "*", 17 "delivery_value": null, 18 "redirection": "*", 19 "origin": "same-http", 20 "subresource": "*", 21 "expectation": "stripped-referrer" 22 }, 23 { 24 // same-insecure 25 "expansion": "override", 26 "source_scheme": "http", 27 "source_context_list": "*", 28 "delivery_type": "*", 29 "delivery_value": null, 30 "redirection": "swap-origin", 31 "origin": "same-http", 32 "subresource": "*", 33 "expectation": "origin" 34 }, 35 { 36 // cross-insecure 37 "expansion": "default", 38 "source_scheme": "http", 39 "source_context_list": "*", 40 "delivery_type": "*", 41 "delivery_value": null, 42 "redirection": "*", 43 "origin": "cross-http", 44 "subresource": "*", 45 "expectation": "origin" 46 }, 47 { 48 // upgrade-protocol 49 "expansion": "default", 50 "source_scheme": "http", 51 "source_context_list": "*", 52 "delivery_type": "*", 53 "delivery_value": null, 54 "redirection": "*", 55 "origin": [ 56 "same-https", 57 "cross-https" 58 ], 59 "subresource": "*", 60 "expectation": "origin" 61 }, 62 { 63 // downgrade-protocol 64 "expansion": "default", 65 "source_scheme": "https", 66 "source_context_list": "*", 67 "delivery_type": "*", 68 "delivery_value": null, 69 "redirection": "*", 70 "origin": [ 71 "same-http", 72 "cross-http" 73 ], 74 "subresource": "*", 75 "expectation": "omitted" 76 }, 77 { 78 // same-secure 79 "expansion": "default", 80 "source_scheme": "https", 81 "source_context_list": "*", 82 "delivery_type": "*", 83 "delivery_value": null, 84 "redirection": "*", 85 "origin": "same-https", 86 "subresource": "*", 87 "expectation": "stripped-referrer" 88 }, 89 { 90 // same-secure 91 "expansion": "override", 92 "source_scheme": "https", 93 "source_context_list": "*", 94 "delivery_type": "*", 95 "delivery_value": null, 96 "redirection": "swap-origin", 97 "origin": "same-https", 98 "subresource": "*", 99 "expectation": "origin" 100 }, 101 { 102 // cross-secure 103 "expansion": "default", 104 "source_scheme": "https", 105 "source_context_list": "*", 106 "delivery_type": "*", 107 "delivery_value": null, 108 "redirection": "*", 109 "origin": "cross-https", 110 "subresource": "*", 111 "expectation": "origin" 112 } 113 ] 114 }, 115 { 116 // meta tag default 117 "title": "<meta rel=referrer> is set to the legacy keyword 'default'", 118 "description": "Check that the 'default' legacy keyword results in behavior equivalent to the default policy (currently strict-origin-when-cross-origin)", 119 "specification_url": "https://html.spec.whatwg.org/multipage/semantics.html#the-meta-element", 120 "test_expansion": [ 121 { 122 // same-insecure 123 "expansion": "default", 124 "source_scheme": "http", 125 "source_context_list": "*", 126 "delivery_type": "meta", 127 "delivery_value": "default", 128 "redirection": "*", 129 "origin": "same-http", 130 "subresource": "*", 131 "expectation": "stripped-referrer" 132 }, 133 { 134 // same-insecure 135 "expansion": "override", 136 "source_scheme": "http", 137 "source_context_list": "*", 138 "delivery_type": "meta", 139 "delivery_value": "default", 140 "redirection": "swap-origin", 141 "origin": "same-http", 142 "subresource": "*", 143 "expectation": "origin" 144 }, 145 { 146 // cross-insecure 147 "expansion": "default", 148 "source_scheme": "http", 149 "source_context_list": "*", 150 "delivery_type": "meta", 151 "delivery_value": "default", 152 "redirection": "*", 153 "origin": "cross-http", 154 "subresource": "*", 155 "expectation": "origin" 156 }, 157 { 158 // upgrade-protocol 159 "expansion": "default", 160 "source_scheme": "http", 161 "source_context_list": "*", 162 "delivery_type": "meta", 163 "delivery_value": "default", 164 "redirection": "*", 165 "origin": [ 166 "same-https", 167 "cross-https" 168 ], 169 "subresource": "*", 170 "expectation": "origin" 171 }, 172 { 173 // downgrade-protocol 174 "expansion": "default", 175 "source_scheme": "https", 176 "source_context_list": "*", 177 "delivery_type": "meta", 178 "delivery_value": "default", 179 "redirection": "*", 180 "origin": [ 181 "same-http", 182 "cross-http" 183 ], 184 "subresource": "*", 185 "expectation": "omitted" 186 }, 187 { 188 // same-secure 189 "expansion": "default", 190 "source_scheme": "https", 191 "source_context_list": "*", 192 "delivery_type": "meta", 193 "delivery_value": "default", 194 "redirection": "*", 195 "origin": "same-https", 196 "subresource": "*", 197 "expectation": "stripped-referrer" 198 }, 199 { 200 // same-secure 201 "expansion": "override", 202 "source_scheme": "https", 203 "source_context_list": "*", 204 "delivery_type": "meta", 205 "delivery_value": "default", 206 "redirection": "swap-origin", 207 "origin": "same-https", 208 "subresource": "*", 209 "expectation": "origin" 210 }, 211 { 212 // cross-secure 213 "expansion": "default", 214 "source_scheme": "https", 215 "source_context_list": "*", 216 "delivery_type": "meta", 217 "delivery_value": "default", 218 "redirection": "*", 219 "origin": "cross-https", 220 "subresource": "*", 221 "expectation": "origin" 222 } 223 ] 224 }, 225 { 226 // no-referrer 227 "title": "Referrer Policy is set to 'no-referrer'", 228 "description": "Check that sub-resource never gets the referrer URL.", 229 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer", 230 "test_expansion": [ 231 { 232 // generic 233 "expansion": "default", 234 "source_scheme": "*", 235 "source_context_list": "*", 236 "delivery_type": "*", 237 "delivery_value": "no-referrer", 238 "redirection": "*", 239 "origin": "*", 240 "subresource": "*", 241 "expectation": "omitted" 242 } 243 ] 244 }, 245 { 246 // meta tag never 247 "title": "<meta rel=referrer> is set to the legacy value 'never'", 248 "description": "Check that the legacy <meta> value 'never' is equivalent to the 'no-referrer' policy", 249 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer", 250 "test_expansion": [ 251 { 252 // generic 253 "expansion": "default", 254 "source_scheme": "*", 255 "source_context_list": "*", 256 "delivery_type": "meta", 257 "delivery_value": "never", 258 "redirection": "*", 259 "origin": "*", 260 "subresource": "*", 261 "expectation": "omitted" 262 } 263 ] 264 }, 265 { 266 // no-referrer-when-downgrade 267 "title": "Referrer Policy is set to 'no-referrer-when-downgrade'", 268 "description": "Check that non a priori insecure subresource gets the full Referrer URL. A priori insecure subresource gets no referrer information.", 269 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer-when-downgrade", 270 "test_expansion": [ 271 { 272 // insecure-protocol 273 "expansion": "default", 274 "source_scheme": "http", 275 "source_context_list": "*", 276 "delivery_type": "*", 277 "delivery_value": "no-referrer-when-downgrade", 278 "redirection": "*", 279 "origin": [ 280 "same-http", 281 "cross-http" 282 ], 283 "subresource": "*", 284 "expectation": "stripped-referrer" 285 }, 286 { 287 // upgrade-protocol 288 "expansion": "default", 289 "source_scheme": "http", 290 "source_context_list": "*", 291 "delivery_type": "*", 292 "delivery_value": "no-referrer-when-downgrade", 293 "redirection": "*", 294 "origin": [ 295 "same-https", 296 "cross-https" 297 ], 298 "subresource": "*", 299 "expectation": "stripped-referrer" 300 }, 301 { 302 // downgrade-protocol 303 "expansion": "default", 304 "source_scheme": "https", 305 "source_context_list": "*", 306 "delivery_type": "*", 307 "delivery_value": "no-referrer-when-downgrade", 308 "redirection": "*", 309 "origin": [ 310 "same-http", 311 "cross-http" 312 ], 313 "subresource": "*", 314 "expectation": "omitted" 315 }, 316 { 317 // secure-protocol 318 "expansion": "default", 319 "source_scheme": "https", 320 "source_context_list": "*", 321 "delivery_type": "*", 322 "delivery_value": "no-referrer-when-downgrade", 323 "redirection": "*", 324 "origin": [ 325 "same-https", 326 "cross-https" 327 ], 328 "subresource": "*", 329 "expectation": "stripped-referrer" 330 } 331 ] 332 }, 333 { 334 // origin 335 "title": "Referrer Policy is set to 'origin'", 336 "description": "Check that all subresources in all casses get only the origin portion of the referrer URL.", 337 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-origin", 338 "test_expansion": [ 339 { 340 // generic 341 "expansion": "default", 342 "source_scheme": "*", 343 "source_context_list": "*", 344 "delivery_type": "*", 345 "delivery_value": "origin", 346 "redirection": "*", 347 "origin": "*", 348 "subresource": "*", 349 "expectation": "origin" 350 } 351 ] 352 }, 353 { 354 // same-origin 355 "title": "Referrer Policy is set to 'same-origin'", 356 "description": "Check that cross-origin subresources get no referrer information and same-origin get the stripped referrer URL.", 357 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin", 358 "test_expansion": [ 359 { 360 // same-origin-insecure 361 "expansion": "default", 362 "source_scheme": "http", 363 "source_context_list": "*", 364 "delivery_type": "*", 365 "delivery_value": "same-origin", 366 "redirection": "*", 367 "origin": "same-http", 368 "subresource": "*", 369 "expectation": "stripped-referrer" 370 }, 371 { 372 // same-origin-secure-default 373 "expansion": "default", 374 "source_scheme": "https", 375 "source_context_list": "*", 376 "delivery_type": "*", 377 "delivery_value": "same-origin", 378 "redirection": "*", 379 "origin": "same-https", 380 "subresource": "*", 381 "expectation": "stripped-referrer" 382 }, 383 { 384 // same-origin-insecure 385 "expansion": "override", 386 "source_scheme": "*", 387 "source_context_list": "*", 388 "delivery_type": "*", 389 "delivery_value": "same-origin", 390 "redirection": "swap-origin", 391 "origin": [ 392 "same-http", 393 "same-https" 394 ], 395 "subresource": "*", 396 "expectation": "omitted" 397 }, 398 { 399 // cross-origin 400 "expansion": "default", 401 "source_scheme": "*", 402 "source_context_list": "*", 403 "delivery_type": "*", 404 "delivery_value": "same-origin", 405 "redirection": "*", 406 "origin": [ 407 "cross-http", 408 "cross-https" 409 ], 410 "subresource": "*", 411 "expectation": "omitted" 412 } 413 ] 414 }, 415 { 416 // origin-when-cross-origin 417 "title": "Referrer Policy is set to 'origin-when-cross-origin'", 418 "description": "Check that cross-origin subresources get the origin portion of the referrer URL and same-origin get the stripped referrer URL.", 419 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-origin-when-cross-origin", 420 "test_expansion": [ 421 { 422 // same-origin-insecure 423 "expansion": "default", 424 "source_scheme": "http", 425 "source_context_list": "*", 426 "delivery_type": "*", 427 "delivery_value": "origin-when-cross-origin", 428 "redirection": "*", 429 "origin": "same-http", 430 "subresource": "*", 431 "expectation": "stripped-referrer" 432 }, 433 { 434 // same-origin-secure-default 435 "expansion": "default", 436 "source_scheme": "https", 437 "source_context_list": "*", 438 "delivery_type": "*", 439 "delivery_value": "origin-when-cross-origin", 440 "redirection": "*", 441 "origin": "same-https", 442 "subresource": "*", 443 "expectation": "stripped-referrer" 444 }, 445 { 446 // same-origin-upgrade 447 "expansion": "default", 448 "source_scheme": "http", 449 "source_context_list": "*", 450 "delivery_type": "*", 451 "delivery_value": "origin-when-cross-origin", 452 "redirection": "*", 453 "origin": "same-https", 454 "subresource": "*", 455 "expectation": "origin" 456 }, 457 { 458 // same-origin-downgrade 459 "expansion": "default", 460 "source_scheme": "https", 461 "source_context_list": "*", 462 "delivery_type": "*", 463 "delivery_value": "origin-when-cross-origin", 464 "redirection": "*", 465 "origin": "same-http", 466 "subresource": "*", 467 "expectation": "origin" 468 }, 469 { 470 // same-origin-insecure 471 "expansion": "override", 472 "source_scheme": "*", 473 "source_context_list": "*", 474 "delivery_type": "*", 475 "delivery_value": "origin-when-cross-origin", 476 "redirection": "swap-origin", 477 "origin": [ 478 "same-http", 479 "same-https" 480 ], 481 "subresource": "*", 482 "expectation": "origin" 483 }, 484 { 485 // cross-origin 486 "expansion": "default", 487 "source_scheme": "*", 488 "source_context_list": "*", 489 "delivery_type": "*", 490 "delivery_value": "origin-when-cross-origin", 491 "redirection": "*", 492 "origin": [ 493 "cross-http", 494 "cross-https" 495 ], 496 "subresource": "*", 497 "expectation": "origin" 498 } 499 ] 500 }, 501 { 502 // meta tag origin-when-crossorigin 503 "title": "<meta rel=referrer> is set to the legacy value 'origin-when-crossorigin'", 504 "description": "Check that the legacy <meta> value 'origin-when-crossorigin' is equivalent to the 'origin-when-cross-origin' policy", 505 "specification_url": "https://html.spec.whatwg.org/multipage/semantics.html#the-meta-element", 506 "test_expansion": [ 507 { 508 // same-origin-insecure 509 "expansion": "default", 510 "source_scheme": "http", 511 "source_context_list": "*", 512 "delivery_type": "meta", 513 "delivery_value": "origin-when-crossorigin", 514 "redirection": "*", 515 "origin": "same-http", 516 "subresource": "*", 517 "expectation": "stripped-referrer" 518 }, 519 { 520 // same-origin-secure-default 521 "expansion": "default", 522 "source_scheme": "https", 523 "source_context_list": "*", 524 "delivery_type": "meta", 525 "delivery_value": "origin-when-crossorigin", 526 "redirection": "*", 527 "origin": "same-https", 528 "subresource": "*", 529 "expectation": "stripped-referrer" 530 }, 531 { 532 // same-origin-upgrade 533 "expansion": "default", 534 "source_scheme": "http", 535 "source_context_list": "*", 536 "delivery_type": "meta", 537 "delivery_value": "origin-when-crossorigin", 538 "redirection": "*", 539 "origin": "same-https", 540 "subresource": "*", 541 "expectation": "origin" 542 }, 543 { 544 // same-origin-downgrade 545 "expansion": "default", 546 "source_scheme": "https", 547 "source_context_list": "*", 548 "delivery_type": "meta", 549 "delivery_value": "origin-when-crossorigin", 550 "redirection": "*", 551 "origin": "same-http", 552 "subresource": "*", 553 "expectation": "origin" 554 }, 555 { 556 // same-origin-insecure 557 "expansion": "override", 558 "source_scheme": "*", 559 "source_context_list": "*", 560 "delivery_type": "meta", 561 "delivery_value": "origin-when-crossorigin", 562 "redirection": "swap-origin", 563 "origin": [ 564 "same-http", 565 "same-https" 566 ], 567 "subresource": "*", 568 "expectation": "origin" 569 }, 570 { 571 // cross-origin 572 "expansion": "default", 573 "source_scheme": "*", 574 "source_context_list": "*", 575 "delivery_type": "meta", 576 "delivery_value": "origin-when-crossorigin", 577 "redirection": "*", 578 "origin": [ 579 "cross-http", 580 "cross-https" 581 ], 582 "subresource": "*", 583 "expectation": "origin" 584 } 585 ] 586 }, 587 { 588 // strict-origin 589 "title": "Referrer Policy is set to 'strict-origin'", 590 "description": "Check that non a priori insecure subresource gets only the origin portion of the referrer URL. A priori insecure subresource gets no referrer information.", 591 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin", 592 "test_expansion": [ 593 { 594 // insecure-protocol 595 "expansion": "default", 596 "source_scheme": "http", 597 "source_context_list": "*", 598 "delivery_type": "*", 599 "delivery_value": "strict-origin", 600 "redirection": "*", 601 "origin": [ 602 "same-http", 603 "cross-http" 604 ], 605 "subresource": "*", 606 "expectation": "origin" 607 }, 608 { 609 // upgrade-protocol 610 "expansion": "default", 611 "source_scheme": "http", 612 "source_context_list": "*", 613 "delivery_type": "*", 614 "delivery_value": "strict-origin", 615 "redirection": "*", 616 "origin": [ 617 "same-https", 618 "cross-https" 619 ], 620 "subresource": "*", 621 "expectation": "origin" 622 }, 623 { 624 // downgrade-protocol 625 "expansion": "default", 626 "source_scheme": "https", 627 "source_context_list": "*", 628 "delivery_type": "*", 629 "delivery_value": "strict-origin", 630 "redirection": "*", 631 "origin": [ 632 "same-http", 633 "cross-http" 634 ], 635 "subresource": "*", 636 "expectation": "omitted" 637 }, 638 { 639 // secure-protocol 640 "expansion": "default", 641 "source_scheme": "https", 642 "source_context_list": "*", 643 "delivery_type": "*", 644 "delivery_value": "strict-origin", 645 "redirection": "*", 646 "origin": [ 647 "same-https", 648 "cross-https" 649 ], 650 "subresource": "*", 651 "expectation": "origin" 652 } 653 ] 654 }, 655 { 656 // strict-origin-when-cross-origin 657 "title": "Referrer Policy is set to 'strict-origin-when-cross-origin'", 658 "description": "Check that a priori insecure subresource gets no referrer information. Otherwise, cross-origin subresources get the origin portion of the referrer URL and same-origin get the stripped referrer URL.", 659 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin", 660 "test_expansion": [ 661 { 662 // same-insecure 663 "expansion": "default", 664 "source_scheme": "http", 665 "source_context_list": "*", 666 "delivery_type": "*", 667 "delivery_value": "strict-origin-when-cross-origin", 668 "redirection": "*", 669 "origin": "same-http", 670 "subresource": "*", 671 "expectation": "stripped-referrer" 672 }, 673 { 674 // same-insecure 675 "expansion": "override", 676 "source_scheme": "http", 677 "source_context_list": "*", 678 "delivery_type": "*", 679 "delivery_value": "strict-origin-when-cross-origin", 680 "redirection": "swap-origin", 681 "origin": "same-http", 682 "subresource": "*", 683 "expectation": "origin" 684 }, 685 { 686 // cross-insecure 687 "expansion": "default", 688 "source_scheme": "http", 689 "source_context_list": "*", 690 "delivery_type": "*", 691 "delivery_value": "strict-origin-when-cross-origin", 692 "redirection": "*", 693 "origin": "cross-http", 694 "subresource": "*", 695 "expectation": "origin" 696 }, 697 { 698 // upgrade-protocol 699 "expansion": "default", 700 "source_scheme": "http", 701 "source_context_list": "*", 702 "delivery_type": "*", 703 "delivery_value": "strict-origin-when-cross-origin", 704 "redirection": "*", 705 "origin": [ 706 "same-https", 707 "cross-https" 708 ], 709 "subresource": "*", 710 "expectation": "origin" 711 }, 712 { 713 // downgrade-protocol 714 "expansion": "default", 715 "source_scheme": "https", 716 "source_context_list": "*", 717 "delivery_type": "*", 718 "delivery_value": "strict-origin-when-cross-origin", 719 "redirection": "*", 720 "origin": [ 721 "same-http", 722 "cross-http" 723 ], 724 "subresource": "*", 725 "expectation": "omitted" 726 }, 727 { 728 // same-secure 729 "expansion": "default", 730 "source_scheme": "https", 731 "source_context_list": "*", 732 "delivery_type": "*", 733 "delivery_value": "strict-origin-when-cross-origin", 734 "redirection": "*", 735 "origin": "same-https", 736 "subresource": "*", 737 "expectation": "stripped-referrer" 738 }, 739 { 740 // same-secure 741 "expansion": "override", 742 "source_scheme": "https", 743 "source_context_list": "*", 744 "delivery_type": "*", 745 "delivery_value": "strict-origin-when-cross-origin", 746 "redirection": "swap-origin", 747 "origin": "same-https", 748 "subresource": "*", 749 "expectation": "origin" 750 }, 751 { 752 // cross-secure 753 "expansion": "default", 754 "source_scheme": "https", 755 "source_context_list": "*", 756 "delivery_type": "*", 757 "delivery_value": "strict-origin-when-cross-origin", 758 "redirection": "*", 759 "origin": "cross-https", 760 "subresource": "*", 761 "expectation": "origin" 762 } 763 ] 764 }, 765 { 766 // unsafe-url 767 "title": "Referrer Policy is set to 'unsafe-url'", 768 "description": "Check that all sub-resources get the stripped referrer URL.", 769 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-unsafe-url", 770 "test_expansion": [ 771 { 772 // generic 773 "expansion": "default", 774 "source_scheme": "*", 775 "source_context_list": "*", 776 "delivery_type": "*", 777 "delivery_value": "unsafe-url", 778 "redirection": "*", 779 "origin": "*", 780 "subresource": "*", 781 "expectation": "stripped-referrer" 782 } 783 ] 784 }, 785 { 786 // meta tag always 787 "title": "<meta rel=referrer> is set to the legacy value 'always'", 788 "description": "Check that the legacy <meta> value 'always' is equivalent to the 'unsafe-url' policy", 789 "specification_url": "https://html.spec.whatwg.org/multipage/semantics.html#the-meta-element", 790 "test_expansion": [ 791 { 792 // generic 793 "expansion": "default", 794 "source_scheme": "*", 795 "source_context_list": "*", 796 "delivery_type": "meta", 797 "delivery_value": "always", 798 "redirection": "*", 799 "origin": "*", 800 "subresource": "*", 801 "expectation": "stripped-referrer" 802 } 803 ] 804 } 805 ], 806 "delivery_key": "referrerPolicy", 807 "excluded_tests": [ 808 { 809 // upgraded-protocol-workers 810 "expansion": "*", 811 "source_scheme": "http", 812 "source_context_list": "*", 813 "delivery_type": "*", 814 "delivery_value": "*", 815 "redirection": "*", 816 "origin": [ 817 "same-https", 818 "cross-https" 819 ], 820 "subresource": [ 821 "worker-classic", 822 "worker-module", 823 "sharedworker-classic", 824 "sharedworker-module" 825 ], 826 "expectation": "*" 827 }, 828 { 829 // mixed-content-insecure-subresources 830 "expansion": "*", 831 "source_scheme": "https", 832 "source_context_list": "*", 833 "delivery_type": "*", 834 "delivery_value": "*", 835 "redirection": "*", 836 "origin": [ 837 "same-http", 838 "same-http-downgrade", 839 "cross-http", 840 "cross-http-downgrade", 841 "same-ws", 842 "same-ws-downgrade", 843 "cross-ws", 844 "cross-ws-downgrade" 845 ], 846 "subresource": "*", 847 "expectation": "*" 848 }, 849 { 850 // overhead-for-redirection 851 "expansion": "*", 852 "source_scheme": "*", 853 "source_context_list": "*", 854 "delivery_type": "*", 855 "delivery_value": "*", 856 "redirection": [ 857 "keep-origin", 858 "swap-origin" 859 ], 860 "origin": "*", 861 "subresource": [ 862 "a-tag", 863 "area-tag", 864 "svg-a-tag" 865 ], 866 "expectation": "*" 867 }, 868 { 869 // source-https-unsupported-by-web-platform-tests-runners 870 "expansion": "*", 871 "source_scheme": "https", 872 "source_context_list": "*", 873 "delivery_type": "*", 874 "delivery_value": "*", 875 "redirection": "*", 876 "origin": "*", 877 "subresource": "*", 878 "expectation": "*" 879 }, 880 { 881 // <link rel=noreferrer>'s delivery_value should be no-referrer 882 "expansion": "*", 883 "source_scheme": "*", 884 "source_context_list": "*", 885 "delivery_type": "rel-noref", 886 "delivery_value": [ 887 null, 888 "no-referrer-when-downgrade", 889 "same-origin", 890 "origin", 891 "origin-when-cross-origin", 892 "strict-origin", 893 "strict-origin-when-cross-origin", 894 "unsafe-url" 895 ], 896 "redirection": "*", 897 "origin": "*", 898 "subresource": "*", 899 "expectation": "*" 900 }, 901 { 902 // redirections that referrer-policy tests don't care 903 "expansion": "*", 904 "source_scheme": "*", 905 "source_context_list": "*", 906 "delivery_type": "*", 907 "delivery_value": "*", 908 "redirection": [ 909 "keep-scheme", 910 "swap-scheme", 911 "downgrade" 912 ], 913 "origin": "*", 914 "subresource": "*", 915 "expectation": "*" 916 }, 917 { 918 // origins that referrer-policy tests don't care 919 "expansion": "*", 920 "source_scheme": "*", 921 "source_context_list": "*", 922 "delivery_type": "*", 923 "delivery_value": "*", 924 "redirection": "*", 925 "origin": [ 926 "same-http-downgrade", 927 "cross-http-downgrade", 928 "same-ws-downgrade", 929 "cross-ws-downgrade" 930 ], 931 "subresource": "*", 932 "expectation": "*" 933 }, 934 { 935 // subresource values not yet tested 936 "expansion": "*", 937 "source_scheme": "*", 938 "source_context_list": "*", 939 "delivery_type": "*", 940 "delivery_value": "*", 941 "redirection": "*", 942 "subresource": [ 943 "area-tag", 944 "audio-tag", 945 "beacon", 946 "link-css-tag", 947 "link-prefetch-tag", 948 "object-tag", 949 "picture-tag", 950 "sharedworker-import", 951 "sharedworker-import-data", 952 "video-tag", 953 "websocket", 954 "worker-import", 955 "worker-import-data", 956 "worklet-animation", 957 "worklet-animation-import-data", 958 "worklet-audio", 959 "worklet-audio-import-data", 960 "worklet-layout", 961 "worklet-layout-import-data", 962 "worklet-paint", 963 "worklet-paint-import-data" 964 ], 965 "origin": "*", 966 "expectation": "*" 967 }, 968 { 969 // source_context_list values not yet tested 970 "expansion": "*", 971 "source_scheme": "*", 972 "source_context_list": [ 973 "iframe-blank-inherit", 974 "sharedworker-classic", 975 "sharedworker-classic-data", 976 "sharedworker-module", 977 "sharedworker-module-data", 978 "worker-classic-data", 979 "worker-module-data" 980 ], 981 "delivery_type": "*", 982 "delivery_value": "*", 983 "redirection": "*", 984 "subresource": "*", 985 "origin": "*", 986 "expectation": "*" 987 }, 988 // Skip some nested source_context_lists for faster tests. 989 { 990 "expansion": "*", 991 "source_scheme": "*", 992 "source_context_list": [ 993 "iframe", 994 "srcdoc", 995 "srcdoc-inherit" 996 ], 997 "delivery_type": "*", 998 "delivery_value": "*", 999 "redirection": "*", 1000 "subresource": "script-tag-dynamic-import", 1001 "origin": "*", 1002 "expectation": "*" 1003 }, 1004 ], 1005 "source_context_schema": { 1006 "supported_delivery_type": { 1007 "top": [ 1008 "meta", 1009 "http-rp" 1010 ], 1011 "iframe": [ 1012 "meta", 1013 "http-rp" 1014 ], 1015 "iframe-blank": [ 1016 "meta" 1017 ], 1018 "srcdoc": [ 1019 "meta" 1020 ], 1021 "worker-classic": [ 1022 "http-rp" 1023 ], 1024 "worker-module": [ 1025 "http-rp" 1026 ], 1027 "worker-classic-data": [], 1028 "worker-module-data": [], 1029 "sharedworker-classic": [ 1030 "http-rp" 1031 ], 1032 "sharedworker-module": [ 1033 "http-rp" 1034 ], 1035 "sharedworker-classic-data": [], 1036 "sharedworker-module-data": [] 1037 } 1038 }, 1039 "subresource_schema": { 1040 "supported_delivery_type": { 1041 // List of elements that support "attr" delivery type can be followed 1042 // from the cross reference of: 1043 // https://html.spec.whatwg.org/C/#referrer-policy-attribute 1044 "a-tag": [ 1045 "attr", 1046 "rel-noref" 1047 ], 1048 "area-tag": [ 1049 "attr" 1050 ], 1051 "audio-tag": [], 1052 "beacon": [], 1053 // Fetch API supports `init["referrerPolicy"]` in `Request`: 1054 // https://fetch.spec.whatwg.org/#dom-request. 1055 // TODO(https://github.com/web-platform-tests/wpt/issues/21815): 1056 // Add support for this. Currently `common.sub.js` doesn't support this. 1057 "fetch": [], 1058 "iframe-tag": [ 1059 "attr" 1060 ], 1061 "img-tag": [ 1062 "attr" 1063 ], 1064 // TODO(https://github.com/web-platform-tests/wpt/issues/21815): 1065 // Support "attr" in the following `<link>`-related subresources. 1066 // The current referrrer-policy test helper doesn't support 1067 // checking referrer results via <link> elements. 1068 "link-css-tag": [], 1069 "link-prefetch-tag": [], 1070 "object-tag": [], 1071 // `<img>` supports referrerpolicy attribute, 1072 // so `<img>` inside `<picture>` also supports the attribute. 1073 // TODO(https://github.com/web-platform-tests/wpt/issues/21815): 1074 // Support this. 1075 "picture-tag": [], 1076 "script-tag": [ 1077 "attr" 1078 ], 1079 "script-tag-dynamic-import": [ 1080 // The policy set to the <script referrerpolicy> attribute is used for 1081 // dynamic imports initiated from the script, passed as referencing 1082 // script's fetch options. 1083 // https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-modulerequest,-promisecapability) 1084 "attr" 1085 ], 1086 "sharedworker-classic": [], 1087 "sharedworker-import": [], 1088 "sharedworker-import-data": [], 1089 "sharedworker-module": [], 1090 "svg-a-tag": [ 1091 "attr" 1092 ], 1093 "video-tag": [], 1094 "websocket": [], 1095 "worker-classic": [], 1096 "worker-import": [], 1097 "worker-import-data": [], 1098 "worker-module": [], 1099 "worklet-animation": [], 1100 "worklet-animation-import-data": [], 1101 "worklet-audio": [], 1102 "worklet-audio-import-data": [], 1103 "worklet-layout": [], 1104 "worklet-layout-import-data": [], 1105 "worklet-paint": [], 1106 "worklet-paint-import-data": [], 1107 "xhr": [] 1108 } 1109 }, 1110 "test_expansion_schema": { 1111 "delivery_type": [ 1112 "attr", 1113 "rel-noref", 1114 "http-rp", 1115 "meta" 1116 ], 1117 "delivery_value": [ 1118 null, 1119 "no-referrer", 1120 "no-referrer-when-downgrade", 1121 "same-origin", 1122 "origin", 1123 "origin-when-cross-origin", 1124 "strict-origin", 1125 "strict-origin-when-cross-origin", 1126 "unsafe-url", 1127 "default", 1128 "always", 1129 "never", 1130 "origin-when-crossorigin" 1131 ], 1132 "expectation": [ 1133 "omitted", 1134 "origin", 1135 "stripped-referrer" 1136 ] 1137 } 1138 }