tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

coep.https.tentative.html (3292B)

      1 <!DOCTYPE html>
      2 <title>COEP for WebBundle subresource loading</title>
      3 <link
      4  rel="help"
      5  href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
      6 />
      7 <link
      8  rel="help"
      9  href="https://html.spec.whatwg.org/multipage/origin.html#coep"
     10 />
     11 <script src="/resources/testharness.js"></script>
     12 <script src="/resources/testharnessreport.js"></script>
     13 <script src="../resources/test-helpers.js"></script>
     14 
     15 <body>
     16  <!--
     17       This wpt should run on an origin different from https://www1.web-platform.test:8444/,
     18       from where cross-orign WebBundles are served.
     19 
     20       This test uses a cross-origin WebBundle,
     21       https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn,
     22       which is served with an Access-Control-Allow-Origin response header.
     23 
     24       `corp.wbn` includes three subresources:
     25       a. `no-corp.js`, which doesn't include a Cross-Origin-Resource-Policy response header.
     26       b. `corp-same-origin.js`, which includes a Cross-Origin-Resource-Policy: same-origin response header.
     27       c. `corp-cross-origin.js`, which includes a Cross-Origin-Resource-Policy: cross-origin response header.
     28  -->
     29  <script type="webbundle">
     30    {
     31      "source": "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp.wbn",
     32      "resources": [
     33        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/no-corp.js",
     34        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-same-origin.js",
     35        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js"
     36      ]
     37    }
     38  </script>
     39  <script>
     40    setup(() => {
     41      assert_true(HTMLScriptElement.supports("webbundle"));
     42    });
     43 
     44    async function expectCOEPReport(func) {
     45      const reportsPromise = new Promise((resolve) => {
     46        const observer = new ReportingObserver((reports) => {
     47          observer.disconnect();
     48          resolve(reports.map((r) => r.toJSON()));
     49        });
     50        observer.observe();
     51      });
     52 
     53      await func();
     54 
     55      const reports = await reportsPromise;
     56      assert_equals(reports.length, 1);
     57      assert_equals(reports[0].type, "coep");
     58      assert_equals(reports[0].url, location.href);
     59      return reports[0];
     60    }
     61 
     62    const prefix =
     63      "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/";
     64 
     65    promise_test(async () => {
     66      const report = await expectCOEPReport(async () => {
     67        await addScriptAndWaitForError(prefix + "no-corp.js");
     68      });
     69      assert_equals(report.body.blockedURL, prefix + "no-corp.js");
     70      assert_equals(report.body.type, "corp");
     71      assert_equals(report.body.disposition, "enforce");
     72      assert_equals(report.body.destination, "script");
     73    }, "Cross-origin subresource without Cross-Origin-Resource-Policy: header should be blocked and generate a report.");
     74 
     75    promise_test(async () => {
     76      await addScriptAndWaitForError(prefix + "corp-same-origin.js");
     77    }, "Cross-origin subresource with Cross-Origin-Resource-Policy: same-origin should be blocked.");
     78 
     79    promise_test(async () => {
     80      await addScriptAndWaitForExecution(prefix + "corp-cross-origin.js");
     81    }, "Cross-origin subresource with Cross-Origin-Resource-Policy: cross-origin should be loaded.");
     82 
     83  </script>
     84 </body>