Google Git
Sign in
chromium / external / w3c / web-platform-tests / refs/tags/merge_pr_19550 / . / fetch / metadata / sec-fetch-dest / redirect / multiple-redirect-https-downgrade-upgrade.tentative.sub.html
blob: 78ee10dc736cac4ae648254df21afac781ca7526 [file] [log] [blame]
<!DOCTYPE html>
<html>
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=/fetch/metadata/resources/helper.js></script>
<script src=/fetch/metadata/resources/redirectTestHelper.sub.js></script>
<script src=/common/security-features/resources/common.sub.js></script>
<script src=/common/utils.js></script>
<style>
@font-face {
font-family: myDowngradeUpgradeFont;
src: url(https://{{host}}:{{ports[https][0]}}/fetch/api/resources/redirect.py?location=http%3A%2F%2F{{host}}%3A{{ports[http][0]}}%2Ffetch%2Fapi%2Fresources%2Fredirect.py%3Flocation%3Dhttps%253A%252F%252F{{host}}%253A{{ports[https][0]}}%252Ffetch%252Fmetadata%252Fresources%252Frecord-header.py%253Ffile%253Dfont-https-downgrade-upgrade{{$id:uuid()}});
}
#fontTest {
font-family: myDowngradeUpgradeFont;
}
</style>
<body>
<div id="fontTest">Downgraded then upgraded font</div>
<script>
let nonce = "{{$id}}";
// Validate various scenarios handle a request that redirects from https => http
// correctly and avoids disclosure of any Sec- headers.
RunCommonRedirectTests("Https downgrade-upgrade", MultipleRedirectTo, expected);
document.fonts.ready.then(function () {
promise_test(t => {
return new Promise((resolve, reject) => {
let key = "font-https-downgrade-upgrade{{$id}}";
return fetch_record_header_with_catch(key, "", assert_header_dest_equals, resolve, reject);
});
}, "Https downgrade-upgrade font => No headers");
});
promise_test(() => {
return requestViaImage(secureRedirectURL + encodeURIComponent(insecureRedirectURL + encodeURIComponent("https://{{host}}:{{ports[https][0]}}/common/security-features/subresource/image.py")))
.then(result => {
headers = result.headers;
got = {
"dest": headers["sec-fetch-dest"]
};
// Note that we're using `undefined` here, as opposed to "" elsewhere because of the way
// that `image.py` encodes data.
assert_header_dest_equals(got, undefined);
});
}, "Https downgrade-upgrade image => No headers");
</script>
<script src="https://{{host}}:{{ports[https][0]}}/fetch/api/resources/redirect.py?location=http%3A%2F%2F{{host}}%3A{{ports[http][0]}}%2Ffetch%2Fapi%2Fresources%2Fredirect.py%3Flocation%3Dhttps%253A%252F%252F{{host}}%253A{{ports[https][0]}}%252Ffetch%252Fmetadata%252Fresources%252Fecho-as-script.py"></script>
<script>
test(t => {
t.add_cleanup(_ => { header = null; });
assert_header_dest_equals(header, "");
}, "Https downgrade-upgrade script => No headers");
</script>
</body>