From 9ae1592fbfd99b2fc9078b5fe2edb5a52aaf330a Mon Sep 17 00:00:00 2001
From: Arthur Hemery <ahemery@chromium.org>
Date: Fri, 4 Dec 2020 03:54:39 +0000
Subject: [PATCH] Bug 1678317 [wpt PR 26575] - [CORS-RFC1918] Adding WPT tests
 for fetch in insecure contexts., a=testonly

Automatic update from web-platform-tests
[CORS-RFC1918] Adding WPT tests for fetch in insecure contexts.

Adds tests verifying that fetch takes into account the CORS-RFC1918
restrictions regarding secure contexts.

These tests are ran with the CORS-RFC1918 flag as a virtual suite
because the flag currently breaks other non related tests due to
inheritance rules not being implemented.

Bug: 1138907
Change-Id: I0b5241c0ed13b4b6247310f19fdd0889351ee54b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2517593
Commit-Queue: Arthur Hemery <ahemery@chromium.org>
Reviewed-by: Titouan Rigoudy <titouan@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#833313}

--

wpt-commits: 9533c723edd37e31e092edcb6bbf29c636d2f087
wpt-pr: 26575
---
 .../cors-rfc1918/non-secure-context.window.js | 31 +++++++++++++++++
 .../fetch/cors-rfc1918/resources/support.js   | 34 +++++++++++++++++++
 .../resources/treat-as-public-address.html    |  8 +++++
 .../treat-as-public-address.html.headers      |  1 +
 .../treat-as-public-address.https.html        |  8 +++++
 ...treat-as-public-address.https.html.headers |  1 +
 .../secure-context.https.window.js            | 31 +++++++++++++++++
 7 files changed, 114 insertions(+)
 create mode 100644 testing/web-platform/tests/fetch/cors-rfc1918/non-secure-context.window.js
 create mode 100644 testing/web-platform/tests/fetch/cors-rfc1918/resources/support.js
 create mode 100644 testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.html
 create mode 100644 testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.html.headers
 create mode 100644 testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.https.html
 create mode 100644 testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.https.html.headers
 create mode 100644 testing/web-platform/tests/fetch/cors-rfc1918/secure-context.https.window.js

diff --git a/testing/web-platform/tests/fetch/cors-rfc1918/non-secure-context.window.js b/testing/web-platform/tests/fetch/cors-rfc1918/non-secure-context.window.js
new file mode 100644
index 000000000000..8f49a5cbedda
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cors-rfc1918/non-secure-context.window.js
@@ -0,0 +1,31 @@
+// META: script=resources/support.js
+//
+// Spec: https://wicg.github.io/cors-rfc1918/#integration-fetch
+//
+// This file covers only those tests that must execute in a non secure context.
+// Other tests are defined in: secure-context.window.js
+
+setup(() => {
+  // Making sure we are in a non secure context, as expected.
+  assert_false(window.isSecureContext);
+});
+
+promise_test(async t => {
+  return fetch("/common/blank.html")
+      .catch(reason => {unreached_func(reason)});
+}, "Local non secure page fetches local page.");
+
+// For the following tests, we go through an iframe, because it is not possible
+// to directly import the test harness from a secured public page.
+promise_test(async t => {
+  let iframe = await appendIframe(t, document,
+      "resources/treat-as-public-address.html");
+  let reply = futureMessage();
+  iframe.contentWindow.postMessage("/common/blank.html", "*");
+  assert_equals(await reply, "failure");
+}, "Public non secure page fetches local page.");
+
+// TODO(https://github.com/web-platform-tests/wpt/issues/26166):
+// Add tests for public variations when we are able to fetch resources using a
+// mechanism compatible with WPT guidelines regarding being self-contained.
+
diff --git a/testing/web-platform/tests/fetch/cors-rfc1918/resources/support.js b/testing/web-platform/tests/fetch/cors-rfc1918/resources/support.js
new file mode 100644
index 000000000000..be49c515ef54
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cors-rfc1918/resources/support.js
@@ -0,0 +1,34 @@
+// Creates a new iframe in |doc|, calls |func| on it and appends it as a child
+// of |doc|.
+// Returns a promise that resolves to the iframe once loaded (successfully or
+// not).
+// The iframe is removed from |doc| once test |t| is done running.
+//
+// NOTE: Because iframe elements always invoke the onload event handler, even
+// in case of error, we cannot wire onerror to a promise rejection. The Promise
+// constructor requires users to resolve XOR reject the promise.
+function appendIframeWith(t, doc, func) {
+  return new Promise(resolve => {
+      const child = doc.createElement("iframe");
+      func(child);
+      child.onload = () => { resolve(child); };
+      doc.body.appendChild(child);
+      t.add_cleanup(() => { doc.body.removeChild(child); });
+    });
+}
+
+// Appends a child iframe to |doc| sourced from |src|.
+//
+// See append_child_frame_with() for more details.
+function appendIframe(t, doc, src) {
+  return appendIframeWith(t, doc, child => { child.src = src; });
+}
+
+// Register an event listener that will resolve this promise when this
+// window receives a message posted to it.
+function futureMessage() {
+  return new Promise(resolve => {
+      window.addEventListener("message", e => resolve(e.data));
+  });
+};
+
diff --git a/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.html b/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.html
new file mode 100644
index 000000000000..7a8f6f09a517
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.html
@@ -0,0 +1,8 @@
+<script>
+  window.addEventListener("message", function (event) {
+    fetch(event.data)
+        .then(response => {parent.postMessage("success", "*")})
+        .catch(error => {parent.postMessage("failure", "*")});
+  });
+</script>
+
diff --git a/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.html.headers b/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.html.headers
new file mode 100644
index 000000000000..76371c6209e4
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: treat-as-public-address;
diff --git a/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.https.html b/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.https.html
new file mode 100644
index 000000000000..7a8f6f09a517
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.https.html
@@ -0,0 +1,8 @@
+<script>
+  window.addEventListener("message", function (event) {
+    fetch(event.data)
+        .then(response => {parent.postMessage("success", "*")})
+        .catch(error => {parent.postMessage("failure", "*")});
+  });
+</script>
+
diff --git a/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.https.html.headers b/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.https.html.headers
new file mode 100644
index 000000000000..76371c6209e4
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cors-rfc1918/resources/treat-as-public-address.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: treat-as-public-address;
diff --git a/testing/web-platform/tests/fetch/cors-rfc1918/secure-context.https.window.js b/testing/web-platform/tests/fetch/cors-rfc1918/secure-context.https.window.js
new file mode 100644
index 000000000000..8ed028a390c1
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cors-rfc1918/secure-context.https.window.js
@@ -0,0 +1,31 @@
+// META: script=resources/support.js
+//
+// Spec: https://wicg.github.io/cors-rfc1918/#integration-fetch
+//
+// This file covers only those tests that must execute in a secure context.
+// Other tests are defined in: non-secure-context.window.js
+
+setup(() => {
+  // Making sure we are in a secure context, as expected.
+  assert_true(window.isSecureContext);
+});
+
+promise_test(async t => {
+  return fetch("/common/blank.html")
+      .catch(reason => {unreached_func(reason)});
+}, "Local secure page fetches local page.");
+
+// For the following tests, we go through an iframe, because it is not possible
+// to directly import the test harness from a secured public page.
+promise_test(async t => {
+  let iframe = await appendIframe(t, document,
+      "resources/treat-as-public-address.https.html");
+  let reply = futureMessage();
+  iframe.contentWindow.postMessage("/common/blank.html", "*");
+  assert_equals(await reply, "success");
+}, "Public secure page fetches local page.");
+
+// TODO(https://github.com/web-platform-tests/wpt/issues/26166):
+// Add tests for public variations when we are able to fetch resources using a
+// mechanism compatible with WPT guidelines regarding being self-contained.
+