| <!DOCTYPE html> |
| <title> |
| crossorigin= attribute and credentials in WebBundle subresource loading |
| </title> |
| <link |
| rel="help" |
| href="https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md" |
| /> |
| <link |
| rel="help" |
| href="https://html.spec.whatwg.org/multipage/#cors-settings-attribute" |
| /> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="../resources/test-helpers.js"></script> |
| <body> |
| <script> |
| // In this wpt, we only test request's credential mode, which controls |
| // whether UA sends a credential or not. |
| // We assume that a <link> element fires a load event correctly if |
| // check-cookie-and-return-bundle.py returns a valid format webbundle. That |
| // happens only when UA sends a credential. We don't care of the contents of |
| // a bundle. That's out of scope of this wpt. |
| |
| // See subresoruce-loading-cors{-error}.tentative.html, where we test subresource |
| // loading with crossorigin= attribute, in terms of request's mode (cors or no-cors). |
| |
| document.cookie = "milk=1"; |
| |
| // Make sure to set a cookie for a cross-origin domain from where a cross |
| // origin bundle is served. |
| const setCookiePromise = fetch( |
| "https://{{domains[www1]}}:{{ports[https][0]}}/cookies/resources/set-cookie.py?name=milk&path=/web-bundle/subresource-loading/", |
| { |
| mode: "no-cors", |
| credentials: "include", |
| } |
| ); |
| |
| const same_origin_bundle = "./check-cookie-and-return-bundle.py"; |
| const cross_origin_bundle = "https://{{domains[www1]}}:{{ports[https][0]}}/web-bundle/subresource-loading/check-cookie-and-return-bundle.py"; |
| |
| promise_test(async () => { |
| const link = document.createElement("link"); |
| link.rel = "webbundle"; |
| link.href = same_origin_bundle; |
| await addElementAndWaitForLoad(link); |
| link.remove() |
| }, "'no crossorigin attribute' should send a credential to a same origin bundle"); |
| |
| promise_test(async () => { |
| await setCookiePromise; |
| const link = document.createElement("link"); |
| link.rel = "webbundle"; |
| link.href = cross_origin_bundle; |
| await addElementAndWaitForError(link); |
| link.remove() |
| }, "'no crossorigin attribute' should not send a credential to a cross origin bundle"); |
| |
| promise_test(async () => { |
| const link = document.createElement("link"); |
| link.rel = "webbundle"; |
| link.href = same_origin_bundle; |
| link.crossOrigin = "anonymous"; |
| await addElementAndWaitForLoad(link); |
| link.remove() |
| }, "'anonymous' should send a credential to a same origin bundle"); |
| |
| promise_test(async () => { |
| await setCookiePromise; |
| const link = document.createElement("link"); |
| link.rel = "webbundle"; |
| link.href = cross_origin_bundle; |
| link.crossOrigin = "anonymous"; |
| await addElementAndWaitForError(link); |
| link.remove() |
| }, "'anonymous' should not send a credential to a cross origin bundle"); |
| |
| promise_test(async () => { |
| const link = document.createElement("link"); |
| link.rel = "webbundle"; |
| link.href = same_origin_bundle; |
| link.crossOrigin = "use-credentials"; |
| await addElementAndWaitForLoad(link); |
| link.remove() |
| }, "'use-credentials' should send a credential to a same origin bundle"); |
| |
| promise_test(async () => { |
| await setCookiePromise; |
| const link = document.createElement("link"); |
| link.rel = "webbundle"; |
| link.href = cross_origin_bundle; |
| link.crossOrigin = "use-credentials"; |
| await addElementAndWaitForLoad(link); |
| link.remove() |
| }, "'use-credentials' should send a credential to a cross origin bundle"); |
| </script> |
| </body> |