Bug 1616478 [wpt PR 21877] - Fetch HTTP(S) scheme/data url scripts from data url iframe/dedicated worker/shared worker, a=testonly

Automatic update from web-platform-tests
Fetch HTTP(S) scheme/data url scripts from data url iframe/dedicated worker/shared worker (#21877)

This pull request adds web-platform-tests to check if fetching scripts from data url iframe, dedicated worker or shared worker is appropriately allowed or rejected by CORS.

--

wpt-commits: 2be2d7e3abcde5baded3448b85d0bb88e58d3cf7
wpt-pr: 21877

testing/web-platform/tests/fetch/api/cors/data-url-iframe.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body></body>
+<script>
+
+const createDataUrlIframe = (url, cors) => {
+  const iframe = document.createElement("iframe");
+  const fetchURL = new URL(url, location.href) +
+      `${cors === 'null-origin'
+           ? '?pipe=header(Access-Control-Allow-Origin, null)' : ''}`;
+  const tag_name = 'script';
+  iframe.src =
+      `data:text/html, <${tag_name}>` +
+      `async function test() {` +
+      `  let allowed = true;` +
+      `  try {` +
+      `    await fetch('${fetchURL}');` +
+      `  } catch (e) {` +
+      `    allowed = false;` +
+      `  }` +
+      `  parent.postMessage({allowed}, '*');` +
+      `}` +
+      `test(); </${tag_name}>`;
+  return iframe;
+};
+
+const fetch_from_data_url_iframe_test =
+    (url, cors, expectation, description) => {
+  promise_test(async () => {
+    const iframe = createDataUrlIframe(url, cors);
+    document.body.appendChild(iframe);
+    const msgEvent = await new Promise(resolve => window.onmessage = resolve);
+    assert_equals(msgEvent.data.allowed ? 'allowed' : 'rejected', expectation);
+  }, description);
+};
+
+fetch_from_data_url_iframe_test(
+  '../resources/top.txt',
+  'acao-omitted',
+  'rejected',
+  'fetching "top.txt" without ACAO should be rejected.'
+);
+fetch_from_data_url_iframe_test(
+  '../resources/top.txt',
+  'null-origin',
+  'allowed',
+  'fetching "top.txt" with CORS allowing null origin should be allowed.'
+);
+fetch_from_data_url_iframe_test(
+  'data:text/plain, top',
+  'acao-omitted',
+  'allowed',
+  'fetching data url script should be allowed.'
+);
+
+</script>

testing/web-platform/tests/fetch/api/cors/data-url-shared-worker.html

@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+const fetch_from_data_url_worker_test =
+    (url, cors, expectation, description) => {
+  promise_test(async () => {
+    const fetchURL = new URL(url, location.href) +
+        `${cors === 'null-origin'
+             ? '?pipe=header(Access-Control-Allow-Origin, null)' : ''}`;
+    const scriptURL =
+      `data:text/javascript,` +
+      `async function test(port) {` +
+      `  let allowed = true;` +
+      `  try {` +
+      `    await fetch('${fetchURL}');` +
+      `  } catch (e) {` +
+      `    allowed = false;` +
+      `  }` +
+      `  port.postMessage({allowed});` +
+      `}` +
+      `onconnect = e => {` +
+      `  test(e.ports[0]);` +
+      `};`;
+    const worker = new SharedWorker(scriptURL);
+    const msgEvent =
+        await new Promise(resolve => worker.port.onmessage = resolve);
+    assert_equals(msgEvent.data.allowed ? 'allowed' : 'rejected', expectation);
+  }, description);
+};
+
+fetch_from_data_url_worker_test(
+  '../resources/top.txt',
+  'acao-omitted',
+  'rejected',
+  'fetching "top.txt" without ACAO should be rejected.'
+);
+fetch_from_data_url_worker_test(
+  '../resources/top.txt',
+  'null-origin',
+  'allowed',
+  'fetching "top.txt" with CORS allowing null origin should be allowed.'
+);
+fetch_from_data_url_worker_test(
+  'data:text/plain, top',
+  'acao-omitted',
+  'allowed',
+  'fetching data url script should be allowed.'
+);
+
+</script>

testing/web-platform/tests/fetch/api/cors/data-url-worker.html

@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+const fetch_from_data_url_shared_worker_test =
+    (url, cors, expectation, description) => {
+  promise_test(async () => {
+    const fetchURL = new URL(url, location.href) +
+        `${cors === 'null-origin'
+             ? '?pipe=header(Access-Control-Allow-Origin, null)' : ''}`;
+    const scriptURL =
+      `data:text/javascript,` +
+      `async function test() {` +
+      `  let allowed = true;` +
+      `  try {` +
+      `    await fetch('${fetchURL}');` +
+      `  } catch (e) {` +
+      `    allowed = false;` +
+      `  }` +
+      `  postMessage({allowed});` +
+      `}` +
+      `test();`;
+    const worker = new Worker(scriptURL);
+    const msgEvent = await new Promise(resolve => worker.onmessage = resolve);
+    assert_equals(msgEvent.data.allowed ? 'allowed' : 'rejected', expectation);
+  }, description);
+};
+
+fetch_from_data_url_shared_worker_test(
+  '../resources/top.txt',
+  'acao-omitted',
+  'rejected',
+  'fetching "top.txt" without ACAO should be rejected.'
+);
+fetch_from_data_url_shared_worker_test(
+  '../resources/top.txt',
+  'null-origin',
+  'allowed',
+  'fetching "top.txt" with CORS allowing null origin should be allowed.'
+);
+fetch_from_data_url_shared_worker_test(
+  'data:text/plain, top',
+  'acao-omitted',
+  'allowed',
+  'fetching data url script should be allowed.'
+);
+
+</script>