credentials.https.tentative.sub.html (5834B)
1 <!DOCTYPE html> 2 <title>Credentials in WebBundle subresource loading</title> 3 <link 4 rel="help" 5 href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md#requests-mode-and-credentials-mode" 6 /> 7 <script src="/resources/testharness.js"></script> 8 <script src="/resources/testharnessreport.js"></script> 9 <script src="../resources/test-helpers.js"></script> 10 <body> 11 <script> 12 // In this wpt, we test a request's credential mode, which controls 13 // whether UA sends a credential or not to fetch a bundle. 14 15 // If UA sends a credential, check-cookie-and-return-{cross-oriigin}-bundle.py 16 // returns a valid format webbundle. Then, a subresource fetch should be successful. 17 // Otherwise, a subresource fetch should be rejected. 18 19 setup(() => { 20 assert_true(HTMLScriptElement.supports("webbundle")); 21 }); 22 23 document.cookie = "milk=1; path=/"; 24 25 // Make sure to set a cookie for a cross-origin domain from where a cross 26 // origin bundle is served. 27 const setCookiePromise = fetch( 28 "https://{{domains[www1]}}:{{ports[https][0]}}/cookies/resources/set-cookie.py?name=milk&path=/web-bundle/resources/", 29 { 30 mode: "no-cors", 31 credentials: "include", 32 } 33 ); 34 35 const same_origin_bundle = "../resources/check-cookie-and-return-bundle.py"; 36 const cross_origin_bundle = 37 "https://{{domains[www1]}}:{{ports[https][0]}}/web-bundle/resources/check-cookie-and-return-bundle.py?bundle=cross-origin"; 38 39 const same_origin_bundle_subresource = "../resources/wbn/root.js"; 40 const cross_origin_bundle_subresource = 41 "https://{{domains[www1]}}:{{ports[https][0]}}/web-bundle/resources/wbn/simple-cross-origin.txt"; 42 43 async function assertSubresourceCanBeFetched() { 44 const response = await fetch(same_origin_bundle_subresource); 45 const text = await response.text(); 46 assert_equals(text, "export * from './submodule.js';\n"); 47 } 48 49 async function assertCrossOriginSubresourceCanBeFetched() { 50 const response = await fetch(cross_origin_bundle_subresource); 51 const text = await response.text(); 52 assert_equals(text, "hello from simple-cross-origin.txt"); 53 } 54 55 function createScriptWebBundle(credentials) { 56 const options = {}; 57 if (credentials) { 58 options.credentials = credentials; 59 } 60 return createWebBundleElement( 61 same_origin_bundle, 62 [same_origin_bundle_subresource], 63 options 64 ); 65 } 66 67 function createScriptWebBundleCrossOrigin(credentials) { 68 const options = {}; 69 if (credentials) { 70 options.credentials = credentials; 71 } 72 return createWebBundleElement( 73 cross_origin_bundle, 74 [cross_origin_bundle_subresource], 75 options 76 ); 77 } 78 79 promise_test(async (t) => { 80 const script = createScriptWebBundle(); 81 document.body.append(script); 82 t.add_cleanup(() => script.remove()); 83 84 await assertSubresourceCanBeFetched(); 85 }, "The default should send a credential to a same origin bundle"); 86 87 promise_test(async (t) => { 88 const script = createScriptWebBundle("invalid"); 89 document.body.append(script); 90 t.add_cleanup(() => script.remove()); 91 92 await assertSubresourceCanBeFetched(); 93 }, "An invalid value should send a credential to a same origin bundle"); 94 95 promise_test(async (t) => { 96 const script = createScriptWebBundle("omit"); 97 document.body.append(script); 98 t.add_cleanup(() => script.remove()); 99 100 return promise_rejects_js( 101 t, 102 TypeError, 103 fetch(same_origin_bundle_subresource) 104 ); 105 }, "'omit' should not send a credential to a same origin bundle"); 106 107 promise_test(async (t) => { 108 const script = createScriptWebBundle("same-origin"); 109 document.body.append(script); 110 t.add_cleanup(() => script.remove()); 111 112 await assertSubresourceCanBeFetched(); 113 }, "'same-origin' should send a credential to a same origin bundle"); 114 115 promise_test(async (t) => { 116 const script = createScriptWebBundle("include"); 117 document.body.append(script); 118 t.add_cleanup(() => script.remove()); 119 120 await assertSubresourceCanBeFetched(); 121 }, "'include' should send a credential to a same origin bundle"); 122 123 promise_test(async (t) => { 124 await setCookiePromise; 125 126 const script = createScriptWebBundleCrossOrigin("omit"); 127 document.body.append(script); 128 t.add_cleanup(() => script.remove()); 129 130 return promise_rejects_js( 131 t, 132 TypeError, 133 fetch(cross_origin_bundle_subresource) 134 ); 135 }, "'omit' should not send a credential to a cross origin bundle"); 136 137 promise_test(async (t) => { 138 await setCookiePromise; 139 140 const script = createScriptWebBundleCrossOrigin("same-origin"); 141 document.body.append(script); 142 t.add_cleanup(() => script.remove()); 143 144 return promise_rejects_js( 145 t, 146 TypeError, 147 fetch(cross_origin_bundle_subresource) 148 ); 149 }, "'same-origin' should not send a credential to a cross origin bundle"); 150 151 promise_test(async (t) => { 152 await setCookiePromise; 153 154 const script = createScriptWebBundleCrossOrigin("include"); 155 document.body.append(script); 156 t.add_cleanup(() => script.remove()); 157 158 await assertCrossOriginSubresourceCanBeFetched(); 159 }, "'include' should send a credential to a cross origin bundle"); 160 161 promise_test(async (t) => { 162 const script = createScriptWebBundleCrossOrigin("invalid"); 163 document.body.append(script); 164 t.add_cleanup(() => script.remove()); 165 166 return promise_rejects_js( 167 t, 168 TypeError, 169 fetch(cross_origin_bundle_subresource) 170 ); 171 }, "An invalid value should not send a credential to a cross origin bundle"); 172 </script> 173 </body>