| <!DOCTYPE html> |
| <title>Cross origin WebBundle subresource loading (error case)</title> |
| <link |
| rel="help" |
| href="https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md" |
| /> |
| <link |
| rel="help" |
| href="https://html.spec.whatwg.org/multipage/#cors-settings-attribute" |
| /> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="../resources/test-helpers.js"></script> |
| <body> |
| <!-- |
| This wpt should run on an origin different from https://www1.web-platform.test:8444/, |
| from where cross-orign WebBundles are served. |
| |
| This test uses a cross-origin WebBundle, |
| https://www1.web-platform.test:8444/web-bundle/resources/wbn/no-cors/cross-origin.wbn, |
| which is served *without* an Access-Control-Allow-Origin response header. |
| |
| `cross-origin.wbn` includes two subresources: |
| a. `resource.cors.js`, which includes an Access-Control-Allow-Origin response header. |
| b. `resource.no-cors.js`, which doesn't include an Access-Control-Allow-Origin response header. |
| --> |
| <script> |
| promise_test(async () => { |
| const prefix = |
| "https://www1.web-platform.test:8444/web-bundle/resources/wbn/no-cors/"; |
| const resources = [ |
| prefix + "resource.cors.js", |
| prefix + "resource.no-cors.js", |
| ]; |
| for (const crossorigin_attribute_value of [ |
| undefined, // crossorigin attribute is not set |
| "anonymous", |
| "use-credential", |
| ]) { |
| const link = await addLinkAndWaitForError( |
| prefix + "cross-origin.wbn", |
| resources, |
| crossorigin_attribute_value |
| ); |
| |
| // A subresource in the bundle can not be used in any case. |
| for (const resource of resources) { |
| await fetchAndWaitForReject(resource); |
| await addScriptAndWaitForError(resource); |
| } |
| link.remove(); |
| } |
| }, "Use CORS if crossorigin=anonymous or crossorigin=use-credential is specified. A cross origin bundle must not be loaded unless a server returns a valid Access-Control-Allow-Origin header."); |
| </script> |
| </body> |