[OOR-CORS] Add a wpt for CORS with sandboxed-iframe
CORSURLLoader uses network::ResourceRequest::request_initiator which
ignores iframe sandboxing, which is a bug. Let's add a simple test for
the behavior.
Bug: 867834
Change-Id: Ia45113503f98b3d18e31c785e703d29eee658d08
Reviewed-on: https://chromium-review.googlesource.com/1151167
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#578636}
diff --git a/fetch/api/cors/sandboxed-iframe.html b/fetch/api/cors/sandboxed-iframe.html
new file mode 100644
index 0000000..feb9f1f
--- /dev/null
+++ b/fetch/api/cors/sandboxed-iframe.html
@@ -0,0 +1,14 @@
+<!doctype html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<iframe sandbox="allow-scripts" src="../resources/sandboxed-iframe.html"></iframe>
+<script>
+promise_test(async (t) => {
+ const message = await new Promise((resolve) => {
+ window.addEventListener('message', e => resolve(e.data));
+ });
+ assert_equals(message, 'PASS');
+}, 'CORS with sandboxed iframe');
+</script>
+</html>
diff --git a/fetch/api/resources/sandboxed-iframe.html b/fetch/api/resources/sandboxed-iframe.html
new file mode 100644
index 0000000..6e5d506
--- /dev/null
+++ b/fetch/api/resources/sandboxed-iframe.html
@@ -0,0 +1,34 @@
+<!doctype html>
+<html>
+<script>
+async function no_cors_should_be_rejected() {
+ let thrown = false;
+ try {
+ const resp = await fetch('top.txt');
+ } catch (e) {
+ thrown = true;
+ }
+ if (!thrown) {
+ throw Error('fetching "top.txt" should be rejected.');
+ }
+}
+
+async function null_origin_should_be_accepted() {
+ const url = 'top.txt?pipe=header(access-control-allow-origin,null)|' +
+ 'header(cache-control,no-store)';
+ const resp = await fetch(url);
+}
+
+async function test() {
+ try {
+ await no_cors_should_be_rejected();
+ await null_origin_should_be_accepted();
+ parent.postMessage('PASS', '*');
+ } catch (e) {
+ parent.postMessage(e.message, '*');
+ }
+}
+
+test();
+</script>
+</html>