Google Git
Sign in
chromium / external / w3c / web-platform-tests / refs/tags/merge_pr_12192^! / .
commitb1f0b037511dbfb6ce9801c57fecc7efed944482[log] [tgz]
authorYutaka Hirano <yhirano@chromium.org>Fri Jul 27 14:45:52 2018
committerBlink WPT Bot <blink-w3c-test-autoroller@chromium.org>Fri Jul 27 14:54:34 2018
tree2de68db3f9212080b79ff1c0a6eaaa99300f3a42
parent36c9fdd4ef36c289f416a16707074157d818ea7c [diff]
[OOR-CORS] Add a wpt for CORS with sandboxed-iframe

CORSURLLoader uses network::ResourceRequest::request_initiator which
ignores iframe sandboxing, which is a bug. Let's add a simple test for
the behavior.

Bug: 867834
Change-Id: Ia45113503f98b3d18e31c785e703d29eee658d08
Reviewed-on: https://chromium-review.googlesource.com/1151167
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#578636}

diff --git a/fetch/api/cors/sandboxed-iframe.html b/fetch/api/cors/sandboxed-iframe.html
new file mode 100644
index 0000000..feb9f1f
--- /dev/null
+++ b/fetch/api/cors/sandboxed-iframe.html

@@ -0,0 +1,14 @@
+<!doctype html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<iframe sandbox="allow-scripts" src="../resources/sandboxed-iframe.html"></iframe>
+<script>
+promise_test(async (t) => {
+  const message = await new Promise((resolve) => {
+    window.addEventListener('message', e => resolve(e.data));
+  });
+  assert_equals(message, 'PASS');
+}, 'CORS with sandboxed iframe');
+</script>
+</html>

diff --git a/fetch/api/resources/sandboxed-iframe.html b/fetch/api/resources/sandboxed-iframe.html
new file mode 100644
index 0000000..6e5d506
--- /dev/null
+++ b/fetch/api/resources/sandboxed-iframe.html

@@ -0,0 +1,34 @@
+<!doctype html>
+<html>
+<script>
+async function no_cors_should_be_rejected() {
+  let thrown = false;
+  try {
+    const resp = await fetch('top.txt');
+  } catch (e) {
+    thrown = true;
+  }
+  if (!thrown) {
+    throw Error('fetching "top.txt" should be rejected.');
+  }
+}
+
+async function null_origin_should_be_accepted() {
+  const url = 'top.txt?pipe=header(access-control-allow-origin,null)|' +
+              'header(cache-control,no-store)';
+  const resp = await fetch(url);
+}
+
+async function test() {
+  try {
+    await no_cors_should_be_rejected();
+    await null_origin_should_be_accepted();
+    parent.postMessage('PASS', '*');
+  } catch (e) {
+    parent.postMessage(e.message, '*');
+  }
+}
+
+test();
+</script>
+</html>