webvtt-cross-origin.https.html (7155B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"> 3 <title>cross-origin webvtt returned by service worker is detected</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="/common/get-host-info.sub.js"></script> 7 <script src="resources/test-helpers.sub.js?pipe=sub"></script> 8 <body> 9 <script> 10 // This file tests responses for WebVTT text track from a service worker. It 11 // creates an iframe with a <track> element, controlled by a service worker. 12 // Each test tries to load a text track, the service worker intercepts the 13 // requests and responds with opaque or non-opaque responses. As the 14 // crossorigin attribute is not set, request's mode is always "same-origin", 15 // and as specified in https://fetch.spec.whatwg.org/#http-fetch, 16 // a response from a service worker whose type is neither "basic" nor 17 // "default" is rejected. 18 19 const host_info = get_host_info(); 20 const kScript = 'resources/fetch-rewrite-worker.js'; 21 // Add '?ignore' so the service worker falls back for the navigation. 22 const kScope = 'resources/vtt-frame.html?ignore'; 23 let frame; 24 25 function load_track(url) { 26 const track = frame.contentDocument.querySelector('track'); 27 const result = new Promise((resolve, reject) => { 28 track.onload = (e => { 29 resolve('load event'); 30 }); 31 track.onerror = (e => { 32 resolve('error event'); 33 }); 34 }); 35 36 track.src = url; 37 // Setting mode to hidden seems needed, or else the text track requests don't 38 // occur. 39 track.track.mode = 'hidden'; 40 return result; 41 } 42 43 promise_test(t => { 44 return service_worker_unregister_and_register(t, kScript, kScope) 45 .then(registration => { 46 promise_test(() => { 47 frame.remove(); 48 return registration.unregister(); 49 }, 'restore global state'); 50 51 return wait_for_state(t, registration.installing, 'activated'); 52 }) 53 .then(() => { 54 return with_iframe(kScope); 55 }) 56 .then(f => { 57 frame = f; 58 }) 59 }, 'initialize global state'); 60 61 promise_test(t => { 62 let url = '/media/foo.vtt'; 63 // Add '?url' and tell the service worker to fetch a same-origin URL. 64 url += '?url=' + host_info.HTTPS_ORIGIN + '/media/foo.vtt'; 65 return load_track(url) 66 .then(result => { 67 assert_equals(result, 'load event'); 68 }); 69 }, 'same-origin text track should load'); 70 71 promise_test(t => { 72 let url = '/media/foo.vtt'; 73 // Add '?url' and tell the service worker to fetch a cross-origin URL. 74 url += '?url=' + get_host_info().HTTPS_REMOTE_ORIGIN + '/media/foo.vtt'; 75 return load_track(url) 76 .then(result => { 77 assert_equals(result, 'error event'); 78 }); 79 }, 'cross-origin text track with no-cors request should not load'); 80 81 promise_test(t => { 82 let url = '/media/foo.vtt'; 83 // Add '?url' and tell the service worker to fetch a cross-origin URL that 84 // doesn't support CORS. 85 url += '?url=' + get_host_info().HTTPS_REMOTE_ORIGIN + 86 '/media/foo-no-cors.vtt'; 87 // Add '&mode' to tell the service worker to do a CORS request. 88 url += '&mode=cors'; 89 return load_track(url) 90 .then(result => { 91 assert_equals(result, 'error event'); 92 }); 93 }, 'cross-origin text track with rejected cors request should not load'); 94 95 promise_test(t => { 96 let url = '/media/foo.vtt'; 97 // Add '?url' and tell the service worker to fetch a cross-origin URL. 98 url += '?url=' + get_host_info().HTTPS_REMOTE_ORIGIN + '/media/foo.vtt'; 99 // Add '&mode' to tell the service worker to do a CORS request. 100 url += '&mode=cors'; 101 // Add '&credentials=same-origin' to allow Access-Control-Allow-Origin=* so 102 // that CORS will succeed if the service approves it. 103 url += '&credentials=same-origin'; 104 return load_track(url) 105 .then(result => { 106 assert_equals(result, 'error event'); 107 }); 108 }, 'cross-origin text track with approved cors request should not load'); 109 110 // Redirect tests. 111 112 promise_test(t => { 113 let url = '/media/foo.vtt'; 114 // Add '?url' and tell the service worker to fetch a same-origin URL that redirects... 115 redirector_url = host_info.HTTPS_ORIGIN + base_path() + 'resources/redirect.py?Redirect='; 116 // ... to a same-origin URL. 117 redirect_target = host_info.HTTPS_ORIGIN + '/media/foo.vtt'; 118 url += '?url=' + encodeURIComponent(redirector_url + encodeURIComponent(redirect_target)); 119 return load_track(url) 120 .then(result => { 121 assert_equals(result, 'load event'); 122 }); 123 }, 'same-origin text track that redirects same-origin should load'); 124 125 promise_test(t => { 126 let url = '/media/foo.vtt'; 127 // Add '?url' and tell the service worker to fetch a same-origin URL that redirects... 128 redirector_url = host_info.HTTPS_ORIGIN + base_path() + 'resources/redirect.py?Redirect='; 129 // ... to a cross-origin URL. 130 redirect_target = host_info.HTTPS_REMOTE_ORIGIN + '/media/foo.vtt'; 131 url += '?url=' + encodeURIComponent(redirector_url + encodeURIComponent(redirect_target)); 132 return load_track(url) 133 .then(result => { 134 assert_equals(result, 'error event'); 135 }); 136 }, 'same-origin text track that redirects cross-origin should not load'); 137 138 139 promise_test(t => { 140 let url = '/media/foo.vtt'; 141 // Add '?url' and tell the service worker to fetch a same-origin URL that redirects... 142 redirector_url = host_info.HTTPS_ORIGIN + base_path() + 'resources/redirect.py?Redirect='; 143 // ... to a cross-origin URL. 144 redirect_target = host_info.HTTPS_REMOTE_ORIGIN + '/media/foo-no-cors.vtt'; 145 url += '?url=' + encodeURIComponent(redirector_url + encodeURIComponent(redirect_target)); 146 // Add '&mode' to tell the service worker to do a CORS request. 147 url += '&mode=cors'; 148 // Add '&credentials=same-origin' to allow Access-Control-Allow-Origin=* so 149 // that CORS will succeed if the server approves it. 150 url += '&credentials=same-origin'; 151 return load_track(url) 152 .then(result => { 153 assert_equals(result, 'error event'); 154 }); 155 }, 'same-origin text track that redirects to a cross-origin text track with rejected cors should not load'); 156 157 promise_test(t => { 158 let url = '/media/foo.vtt'; 159 // Add '?url' and tell the service worker to fetch a same-origin URL that redirects... 160 redirector_url = host_info.HTTPS_ORIGIN + base_path() + 'resources/redirect.py?Redirect='; 161 // ... to a cross-origin URL. 162 redirect_target = host_info.HTTPS_REMOTE_ORIGIN + '/media/foo.vtt'; 163 url += '?url=' + encodeURIComponent(redirector_url + encodeURIComponent(redirect_target)); 164 // Add '&mode' to tell the service worker to do a CORS request. 165 url += '&mode=cors'; 166 // Add '&credentials=same-origin' to allow Access-Control-Allow-Origin=* so 167 // that CORS will succeed if the server approves it. 168 url += '&credentials=same-origin'; 169 return load_track(url) 170 .then(result => { 171 assert_equals(result, 'error event'); 172 }); 173 }, 'same-origin text track that redirects to a cross-origin text track with approved cors should not load'); 174 </script> 175 </body>