[WIP] Sketching out Sec-Fetch-Ancestors

w3c/webappsec-fetch-metadata#56 Change-Id: I91e072ddd777150c973ad24f3f729cb2fd979232
web-platform-tests · Apr 30, 2024 · f5cd3ab · f5cd3ab
1 parent bda0e68
commit f5cd3ab
Show file tree

Hide file tree

Showing 62 changed files with 6,150 additions and 1 deletion.
diff --git a/fetch/metadata/generated/appcache-manifest.https.sub.tentative.html b/fetch/metadata/generated/appcache-manifest.https.sub.tentative.html
@@ -0,0 +1,88 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/appcache-manifest.sub.https.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for Appcache manifest</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url) {
+    const iframe = document.createElement('iframe');
+    iframe.src =
+      '/fetch/metadata/resources/appcache-iframe.sub.html?manifest=' + encodeURIComponent(url);
+
+    return new Promise((resolve) => {
+        addEventListener('message', function onMessage(event) {
+          if (event.source !== iframe.contentWindow) {
+            return;
+          }
+          removeEventListener('message', onMessage);
+          resolve(event.data);
+        });
+
+        document.body.appendChild(iframe);
+      })
+      .then((message) => {
+        if (message !== 'okay') {
+          throw message;
+        }
+      })
+      .then(() => iframe.remove());
+  }
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    assert_implements_optional(
+      !!window.applicationCache, 'Application Cache supported.'
+    );
+
+    induceRequest(makeRequestURL(key, ['httpsOrigin']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+      })
+      .then(() => t.done(), t.step_func((error) => { throw error; }));
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    assert_implements_optional(
+      !!window.applicationCache, 'Application Cache supported.'
+    );
+
+    induceRequest(makeRequestURL(key, ['httpsCrossSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+      })
+      .then(() => t.done(), t.step_func((error) => { throw error; }));
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    assert_implements_optional(
+      !!window.applicationCache, 'Application Cache supported.'
+    );
+
+    induceRequest(makeRequestURL(key, ['httpsSameSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+      })
+      .then(() => t.done(), t.step_func((error) => { throw error; }));
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/audioworklet.https.sub.tentative.html b/fetch/metadata/generated/audioworklet.https.sub.tentative.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/audioworklet.https.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for AudioWorklet module</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/resources/testdriver.js"></script>
+  <script src="/resources/testdriver-vendor.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test) {
+    return test_driver.bless(
+      'Enable WebAudio playback',
+      () => {
+        const audioContext = new AudioContext();
+
+        test.add_cleanup(() => audioContext.close());
+
+        return audioContext.audioWorklet.addModule(url);
+      }
+    );
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin'], {mime: 'text/javascript'}),
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite'], {mime: 'text/javascript'}),
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite'], {mime: 'text/javascript'}),
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/css-font-face.https.sub.tentative.html b/fetch/metadata/generated/css-font-face.https.sub.tentative.html
@@ -194,6 +194,39 @@
       });
   }, 'sec-fetch-site - Same-Site -> Cross-Site');
 
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsOrigin']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsCrossSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsSameSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same site');
+
   promise_test((t) => {
     const key = '{{uuid()}}';
 

diff --git a/fetch/metadata/generated/css-font-face.sub.tentative.html b/fetch/metadata/generated/css-font-face.sub.tentative.html
@@ -160,6 +160,36 @@
       });
   }, 'sec-fetch-user - Not sent to non-trustworthy cross-site destination');
 
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpOrigin']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpSameSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpCrossSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+
   promise_test((t) => {
     const key = '{{uuid()}}';