Bug 1478689 [wpt PR 12192] - [OOR-CORS] Add a wpt for CORS with sandboxed-iframe, a=testonly

Automatic update from web-platform-tests[OOR-CORS] Add a wpt for CORS with sandboxed-iframe

CORSURLLoader uses network::ResourceRequest::request_initiator which
ignores iframe sandboxing, which is a bug. Let's add a simple test for
the behavior.

Bug: 867834
Change-Id: Ia45113503f98b3d18e31c785e703d29eee658d08
Reviewed-on: https://chromium-review.googlesource.com/1151167
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#578636}

--

wpt-commits: b1f0b037511dbfb6ce9801c57fecc7efed944482
wpt-pr: 12192

testing/web-platform/meta/MANIFEST.json

@@ -275938,6 +275938,11 @@
      {}
     ]
    ],
+   "fetch/api/resources/sandboxed-iframe.html": [
+    [
+     {}
+    ]
+   ],
    "fetch/api/resources/script-with-header.py": [
     [
      {}
@@ -347868,6 +347873,12 @@
      {}
     ]
    ],
+   "fetch/api/cors/sandboxed-iframe.html": [
+    [
+     "/fetch/api/cors/sandboxed-iframe.html",
+     {}
+    ]
+   ],
    "fetch/api/credentials/authentication-basic.any.js": [
     [
      "/fetch/api/credentials/authentication-basic.any.html",
@@ -580641,6 +580652,10 @@
    "cdf4097d5669241373dc7a03ad52c1cb974b5258",
    "testharness"
   ],
+  "fetch/api/cors/sandboxed-iframe.html": [
+   "feb9f1f2e5bd3e2a1d1937103ea13c2fdb32aea6",
+   "testharness"
+  ],
   "fetch/api/credentials/authentication-basic.any.js": [
    "4969b3042e8dcde56b0adb708fb2c5f64d18a9eb",
    "testharness"
@@ -581121,6 +581136,10 @@
    "8e6f9c24b77f7850ea5e8045e8ce276f204f61f4",
    "support"
   ],
+  "fetch/api/resources/sandboxed-iframe.html": [
+   "6e5d5065474d47d34bab3959ae5d0e8f0dc7d072",
+   "support"
+  ],
   "fetch/api/resources/script-with-header.py": [
    "5337cc97bdd7737e40398cb066a98a5246ba4392",
    "support"

testing/web-platform/tests/fetch/api/cors/sandboxed-iframe.html

@@ -0,0 +1,14 @@
+<!doctype html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<iframe sandbox="allow-scripts" src="../resources/sandboxed-iframe.html"></iframe>
+<script>
+promise_test(async (t) => {
+  const message = await new Promise((resolve) => {
+    window.addEventListener('message', e => resolve(e.data));
+  });
+  assert_equals(message, 'PASS');
+}, 'CORS with sandboxed iframe');
+</script>
+</html>

testing/web-platform/tests/fetch/api/resources/sandboxed-iframe.html

@@ -0,0 +1,34 @@
+<!doctype html>
+<html>
+<script>
+async function no_cors_should_be_rejected() {
+  let thrown = false;
+  try {
+    const resp = await fetch('top.txt');
+  } catch (e) {
+    thrown = true;
+  }
+  if (!thrown) {
+    throw Error('fetching "top.txt" should be rejected.');
+  }
+}
+
+async function null_origin_should_be_accepted() {
+  const url = 'top.txt?pipe=header(access-control-allow-origin,null)|' +
+              'header(cache-control,no-store)';
+  const resp = await fetch(url);
+}
+
+async function test() {
+  try {
+    await no_cors_should_be_rejected();
+    await null_origin_should_be_accepted();
+    parent.postMessage('PASS', '*');
+  } catch (e) {
+    parent.postMessage(e.message, '*');
+  }
+}
+
+test();
+</script>
+</html>