From 7dbaede8bd3c899c741b65af020a7c904b904550 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Fri, 17 Aug 2018 22:03:25 +0000 Subject: [PATCH] Bug 1467886 [wpt PR 11432] - Fetch: tests for further CORS restrictions, a=testonly Automatic update from web-platform-testsFetch: tests for further CORS restrictions For https://github.com/whatwg/fetch/pull/736. -- wpt-commits: a70e655d979df85b59e977b61361c0d6d8bf2bf2 wpt-pr: 11432 --- testing/web-platform/meta/MANIFEST.json | 44 +++++++++++++- .../cors-preflight-not-cors-safelisted.any.js | 19 ++++++ .../fetch/api/cors/cors-preflight.any.js | 60 +------------------ .../fetch/api/cors/resources/corspreflight.js | 58 ++++++++++++++++++ .../cors/resources/not-cors-safelisted.json | 11 ++++ .../api/headers/headers-no-cors.window.js | 19 ++++++ 6 files changed, 151 insertions(+), 60 deletions(-) create mode 100644 testing/web-platform/tests/fetch/api/cors/cors-preflight-not-cors-safelisted.any.js create mode 100644 testing/web-platform/tests/fetch/api/cors/resources/corspreflight.js create mode 100644 testing/web-platform/tests/fetch/api/cors/resources/not-cors-safelisted.json create mode 100644 testing/web-platform/tests/fetch/api/headers/headers-no-cors.window.js diff --git a/testing/web-platform/meta/MANIFEST.json b/testing/web-platform/meta/MANIFEST.json index a9ae9b28bccf..c2fa9a6b7a9d 100644 --- a/testing/web-platform/meta/MANIFEST.json +++ b/testing/web-platform/meta/MANIFEST.json @@ -277087,6 +277087,16 @@ {} ] ], + "fetch/api/cors/resources/corspreflight.js": [ + [ + {} + ] + ], + "fetch/api/cors/resources/not-cors-safelisted.json": [ + [ + {} + ] + ], "fetch/api/policies/csp-blocked.html.headers": [ [ {} @@ -350830,6 +350840,16 @@ {} ] ], + "fetch/api/cors/cors-preflight-not-cors-safelisted.any.js": [ + [ + "/fetch/api/cors/cors-preflight-not-cors-safelisted.any.html", + {} + ], + [ + "/fetch/api/cors/cors-preflight-not-cors-safelisted.any.worker.html", + {} + ] + ], "fetch/api/cors/cors-preflight-redirect.any.js": [ [ "/fetch/api/cors/cors-preflight-redirect.any.html", @@ -350976,6 +350996,12 @@ {} ] ], + "fetch/api/headers/headers-no-cors.window.js": [ + [ + "/fetch/api/headers/headers-no-cors.window.html", + {} + ] + ], "fetch/api/headers/headers-normalize.html": [ [ "/fetch/api/headers/headers-normalize.html", @@ -585057,6 +585083,10 @@ "ce6a169d8146750b183c9210d1b2041fac879248", "testharness" ], + "fetch/api/cors/cors-preflight-not-cors-safelisted.any.js": [ + "b2747ccd5bc09e4174aa4c59244e386c80527b51", + "testharness" + ], "fetch/api/cors/cors-preflight-redirect.any.js": [ "5d4de7ebaad1d45775cdb00bf0233aca1a34f612", "testharness" @@ -585074,7 +585104,7 @@ "testharness" ], "fetch/api/cors/cors-preflight.any.js": [ - "4765c5684cf84ddfad2dadace08e99d609bed6e6", + "7455b9774031c8ead6ebaf65165ee920eb9f4218", "testharness" ], "fetch/api/cors/cors-redirect-credentials.any.js": [ @@ -585089,6 +585119,14 @@ "cdf4097d5669241373dc7a03ad52c1cb974b5258", "testharness" ], + "fetch/api/cors/resources/corspreflight.js": [ + "f85d90d9edd6a345564e2b8144123472fde58e4d", + "support" + ], + "fetch/api/cors/resources/not-cors-safelisted.json": [ + "20a162f92c13b3d7fa8bcefab49c98cdd4b42a4c", + "support" + ], "fetch/api/cors/sandboxed-iframe.html": [ "feb9f1f2e5bd3e2a1d1937103ea13c2fdb32aea6", "testharness" @@ -585125,6 +585163,10 @@ "194ff32f1559f2dd9b5903eb3738c17c061c7172", "testharness" ], + "fetch/api/headers/headers-no-cors.window.js": [ + "aa6562b7d377f4ad74456a87d7e37bf0bd18cb2b", + "testharness" + ], "fetch/api/headers/headers-normalize.html": [ "6dfcf9d8194776479d500a6f6c6a5851424d9efc", "testharness" diff --git a/testing/web-platform/tests/fetch/api/cors/cors-preflight-not-cors-safelisted.any.js b/testing/web-platform/tests/fetch/api/cors/cors-preflight-not-cors-safelisted.any.js new file mode 100644 index 000000000000..b2747ccd5bc0 --- /dev/null +++ b/testing/web-platform/tests/fetch/api/cors/cors-preflight-not-cors-safelisted.any.js @@ -0,0 +1,19 @@ +// META: script=/common/utils.js +// META: script=../resources/utils.js +// META: script=/common/get-host-info.sub.js +// META: script=resources/corspreflight.js + +const corsURL = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "preflight.py"; + +promise_test(() => fetch("resources/not-cors-safelisted.json").then(res => res.json().then(runTests)), "Loading data…"); + +function runTests(testArray) { + testArray.forEach(testItem => { + const [headerName, headerValue] = testItem; + corsPreflight("Need CORS-preflight for " + headerName + "/" + headerValue + " header", + corsURL, + "GET", + true, + [[headerName, headerValue]]); + }); +} diff --git a/testing/web-platform/tests/fetch/api/cors/cors-preflight.any.js b/testing/web-platform/tests/fetch/api/cors/cors-preflight.any.js index 4765c5684cf8..7455b9774031 100644 --- a/testing/web-platform/tests/fetch/api/cors/cors-preflight.any.js +++ b/testing/web-platform/tests/fetch/api/cors/cors-preflight.any.js @@ -1,65 +1,7 @@ // META: script=/common/utils.js // META: script=../resources/utils.js // META: script=/common/get-host-info.sub.js - -function headerNames(headers) -{ - let names = []; - for (let header of headers) - names.push(header[0].toLowerCase()); - return names -} - -/* - Check preflight is done - Control if server allows method and headers and check accordingly - Check control access headers added by UA (for method and headers) -*/ -function corsPreflight(desc, corsUrl, method, allowed, headers, safeHeaders) { - return promise_test(function(test) { - var uuid_token = token(); - return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token).then(function(response) { - var url = corsUrl + (corsUrl.indexOf("?") === -1 ? "?" : "&"); - var urlParameters = "token=" + uuid_token + "&max_age=0"; - var requestInit = {"mode": "cors", "method": method}; - var requestHeaders = []; - if (headers) - requestHeaders.push.apply(requestHeaders, headers); - if (safeHeaders) - requestHeaders.push.apply(requestHeaders, safeHeaders); - requestInit["headers"] = requestHeaders; - - if (allowed) { - urlParameters += "&allow_methods=" + method + "&control_request_headers"; - if (headers) { - //Make the server allow the headers - urlParameters += "&allow_headers=" + headerNames(headers).join("%20%2C"); - } - return fetch(url + urlParameters, requestInit).then(function(resp) { - assert_equals(resp.status, 200, "Response's status is 200"); - assert_equals(resp.headers.get("x-did-preflight"), "1", "Preflight request has been made"); - if (headers) { - var actualHeaders = resp.headers.get("x-control-request-headers").toLowerCase().split(","); - for (var i in actualHeaders) - actualHeaders[i] = actualHeaders[i].trim(); - for (var header of headers) - assert_in_array(header[0].toLowerCase(), actualHeaders, "Preflight asked permission for header: " + header); - - let accessControlAllowHeaders = headerNames(headers).sort().join(","); - assert_equals(resp.headers.get("x-control-request-headers"), accessControlAllowHeaders, "Access-Control-Allow-Headers value"); - return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token); - } else { - assert_equals(resp.headers.get("x-control-request-headers"), null, "Access-Control-Request-Headers should be omitted") - } - }); - } else { - return promise_rejects(test, new TypeError(), fetch(url + urlParameters, requestInit)).then(function(){ - return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token); - }); - } - }); - }, desc); -} +// META: script=resources/corspreflight.js var corsUrl = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "preflight.py"; diff --git a/testing/web-platform/tests/fetch/api/cors/resources/corspreflight.js b/testing/web-platform/tests/fetch/api/cors/resources/corspreflight.js new file mode 100644 index 000000000000..f85d90d9edd6 --- /dev/null +++ b/testing/web-platform/tests/fetch/api/cors/resources/corspreflight.js @@ -0,0 +1,58 @@ +function headerNames(headers) { + let names = []; + for (let header of headers) { + names.push(header[0].toLowerCase()); + } + return names; +} + +/* + Check preflight is done + Control if server allows method and headers and check accordingly + Check control access headers added by UA (for method and headers) +*/ +function corsPreflight(desc, corsUrl, method, allowed, headers, safeHeaders) { + return promise_test(function(test) { + var uuid_token = token(); + return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token).then(function(response) { + var url = corsUrl + (corsUrl.indexOf("?") === -1 ? "?" : "&"); + var urlParameters = "token=" + uuid_token + "&max_age=0"; + var requestInit = {"mode": "cors", "method": method}; + var requestHeaders = []; + if (headers) + requestHeaders.push.apply(requestHeaders, headers); + if (safeHeaders) + requestHeaders.push.apply(requestHeaders, safeHeaders); + requestInit["headers"] = requestHeaders; + + if (allowed) { + urlParameters += "&allow_methods=" + method + "&control_request_headers"; + if (headers) { + //Make the server allow the headers + urlParameters += "&allow_headers=" + headerNames(headers).join("%20%2C"); + } + return fetch(url + urlParameters, requestInit).then(function(resp) { + assert_equals(resp.status, 200, "Response's status is 200"); + assert_equals(resp.headers.get("x-did-preflight"), "1", "Preflight request has been made"); + if (headers) { + var actualHeaders = resp.headers.get("x-control-request-headers").toLowerCase().split(","); + for (var i in actualHeaders) + actualHeaders[i] = actualHeaders[i].trim(); + for (var header of headers) + assert_in_array(header[0].toLowerCase(), actualHeaders, "Preflight asked permission for header: " + header); + + let accessControlAllowHeaders = headerNames(headers).sort().join(","); + assert_equals(resp.headers.get("x-control-request-headers"), accessControlAllowHeaders, "Access-Control-Allow-Headers value"); + return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token); + } else { + assert_equals(resp.headers.get("x-control-request-headers"), null, "Access-Control-Request-Headers should be omitted") + } + }); + } else { + return promise_rejects(test, new TypeError(), fetch(url + urlParameters, requestInit)).then(function(){ + return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token); + }); + } + }); + }, desc); +} diff --git a/testing/web-platform/tests/fetch/api/cors/resources/not-cors-safelisted.json b/testing/web-platform/tests/fetch/api/cors/resources/not-cors-safelisted.json new file mode 100644 index 000000000000..20a162f92c13 --- /dev/null +++ b/testing/web-platform/tests/fetch/api/cors/resources/not-cors-safelisted.json @@ -0,0 +1,11 @@ +[ + ["accept", "\""], + ["accept", "012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678"], + ["accept-language", "\u0001"], + ["accept-language", "@"], + ["content-language", "\u0001"], + ["content-language", "@"], + ["content-type", "text/html"], + ["content-type", "text/plain; long=0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901"], + ["test", "hi"] +] diff --git a/testing/web-platform/tests/fetch/api/headers/headers-no-cors.window.js b/testing/web-platform/tests/fetch/api/headers/headers-no-cors.window.js new file mode 100644 index 000000000000..aa6562b7d377 --- /dev/null +++ b/testing/web-platform/tests/fetch/api/headers/headers-no-cors.window.js @@ -0,0 +1,19 @@ +promise_test(() => fetch("../cors/resources/not-cors-safelisted.json").then(res => res.json().then(runTests)), "Loading data…"); + +function runTests(testArray) { + testArray = testArray.concat([ + ["dpr", "2"], + ["downlink", "1"], // https://wicg.github.io/netinfo/ + ["save-data", "on"], + ["viewport-width", "100"], + ["width", "100"] + ]); + testArray.forEach(testItem => { + const [headerName, headerValue] = testItem; + test(() => { + const noCorsHeaders = new Request("about:blank", { mode: "no-cors" }).headers; + noCorsHeaders.append(headerName, headerValue); + assert_false(noCorsHeaders.has(headerName)); + }, "\"no-cors\" Headers object cannot have " + headerName + "/" + headerValue + " as header"); + }); +}