Make the Referrer-Policy tests allow further truncated referrers (#29434)
This allows UAs to take advantage of the spec's allowance to be more
aggressive than otherwise:
> The user agent MAY alter referrerURL or referrerOrigin at this point
> to enforce arbitrary policy considerations in the interests of
> minimizing data leakage.
diff --git a/referrer-policy/generic/test-case.sub.js b/referrer-policy/generic/test-case.sub.js
index 6656084..717cd1a 100644
--- a/referrer-policy/generic/test-case.sub.js
+++ b/referrer-policy/generic/test-case.sub.js
@@ -41,14 +41,20 @@
}
const referrerUrlResolver = {
+ // The spec allows UAs to "enforce arbitrary policy considerations in the
+ // interests of minimizing data leakage"; to start to vaguely approximate
+ // this, we allow stronger policies to be used instead of what's specificed.
"omitted": function(sourceUrl) {
- return undefined;
+ return [undefined];
},
"origin": function(sourceUrl) {
- return stripUrlForUseAsReferrer(sourceUrl, true);
+ return [stripUrlForUseAsReferrer(sourceUrl, true),
+ undefined];
},
"stripped-referrer": function(sourceUrl) {
- return stripUrlForUseAsReferrer(sourceUrl, false);
+ return [stripUrlForUseAsReferrer(sourceUrl, false),
+ stripUrlForUseAsReferrer(sourceUrl, true),
+ undefined];
}
};
@@ -70,18 +76,16 @@
// external <iframe>.
referrerSource = location.toString();
}
- const expectedReferrerUrl =
+ const possibleReferrerUrls =
referrerUrlResolver[expectation](referrerSource);
// Check the reported URL.
- assert_equals(result.referrer,
- expectedReferrerUrl,
- "Reported Referrer URL is '" +
- expectation + "'.");
- assert_equals(result.headers.referer,
- expectedReferrerUrl,
- "Reported Referrer URL from HTTP header is '" +
- expectedReferrerUrl + "'");
+ assert_in_array(result.referrer,
+ possibleReferrerUrls,
+ "document.referrer");
+ assert_in_array(result.headers.referer,
+ possibleReferrerUrls,
+ "HTTP Referer header");
}
function runLengthTest(scenario, urlLength, expectation, testDescription) {