<!DOCTYPE html>
<!--
This test was procedurally generated. Please do not modify it directly.
Sources:
- fetch/metadata/tools/fetch-metadata.conf.yml
- fetch/metadata/tools/templates/form-submission.sub.html
-->
<html lang="en">
<meta charset="utf-8">
<meta name="timeout" content="long">
<title>HTTP headers on request for HTML form navigation</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/fetch/metadata/resources/helper.sub.js"></script>
<body>
<script>
'use strict';
function induceRequest(method, url, userActivated) {
const windowName = String(Math.random());
const form = document.createElement('form');
const submit = document.createElement('input');
submit.setAttribute('type', 'submit');
form.appendChild(submit);
const win = open('about:blank', windowName);
form.setAttribute('method', method);
form.setAttribute('action', url);
form.setAttribute('target', windowName);
document.body.appendChild(form);
// Query parameters must be expressed as form values so that they are sent
// with the submission of forms whose method is POST.
Array.from(new URL(url, location.origin).searchParams)
.forEach(([name, value]) => {
const input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', name);
input.setAttribute('value', value);
form.appendChild(input);
});
return new Promise((resolve) => {
addEventListener('message', function(event) {
if (event.source === win) {
resolve();
}
});
if (userActivated) {
test_driver.click(submit);
} else {
submit.click();
}
})
.then(() => {
form.remove();
win.close();
});
}
const responseParams = {
mime: 'text/html',
body: `<script>opener.postMessage('done', '*')</${''}script>`
};
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-site');
});
}, 'sec-fetch-site - Not sent to non-trustworthy same-origin destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-site');
});
}, 'sec-fetch-site - Not sent to non-trustworthy same-origin destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpSameSite'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-site');
});
}, 'sec-fetch-site - Not sent to non-trustworthy same-site destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpSameSite'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-site');
});
}, 'sec-fetch-site - Not sent to non-trustworthy same-site destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-site');
});
}, 'sec-fetch-site - Not sent to non-trustworthy cross-site destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-site');
});
}, 'sec-fetch-site - Not sent to non-trustworthy cross-site destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-mode');
});
}, 'sec-fetch-mode - Not sent to non-trustworthy same-origin destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-mode');
});
}, 'sec-fetch-mode - Not sent to non-trustworthy same-origin destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpSameSite'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-mode');
});
}, 'sec-fetch-mode - Not sent to non-trustworthy same-site destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpSameSite'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-mode');
});
}, 'sec-fetch-mode - Not sent to non-trustworthy same-site destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-mode');
});
}, 'sec-fetch-mode - Not sent to non-trustworthy cross-site destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-mode');
});
}, 'sec-fetch-mode - Not sent to non-trustworthy cross-site destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-dest');
});
}, 'sec-fetch-dest - Not sent to non-trustworthy same-origin destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-dest');
});
}, 'sec-fetch-dest - Not sent to non-trustworthy same-origin destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpSameSite'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-dest');
});
}, 'sec-fetch-dest - Not sent to non-trustworthy same-site destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpSameSite'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-dest');
});
}, 'sec-fetch-dest - Not sent to non-trustworthy same-site destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-dest');
});
}, 'sec-fetch-dest - Not sent to non-trustworthy cross-site destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-dest');
});
}, 'sec-fetch-dest - Not sent to non-trustworthy cross-site destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-user');
});
}, 'sec-fetch-user - Not sent to non-trustworthy same-origin destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-user');
});
}, 'sec-fetch-user - Not sent to non-trustworthy same-origin destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpSameSite'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-user');
});
}, 'sec-fetch-user - Not sent to non-trustworthy same-site destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpSameSite'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-user');
});
}, 'sec-fetch-user - Not sent to non-trustworthy same-site destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-user');
});
}, 'sec-fetch-user - Not sent to non-trustworthy cross-site destination - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-user');
});
}, 'sec-fetch-user - Not sent to non-trustworthy cross-site destination - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpsOrigin', 'httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-site');
});
}, 'sec-fetch-site - HTTPS downgrade (header not sent) - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpsOrigin', 'httpOrigin'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_not_own_property(headers, 'sec-fetch-site');
});
}, 'sec-fetch-site - HTTPS downgrade (header not sent) - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin', 'httpsOrigin'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_own_property(headers, 'sec-fetch-site');
assert_array_equals(headers['sec-fetch-site'], ['cross-site']);
});
}, 'sec-fetch-site - HTTPS upgrade - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpOrigin', 'httpsOrigin'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_own_property(headers, 'sec-fetch-site');
assert_array_equals(headers['sec-fetch-site'], ['cross-site']);
});
}, 'sec-fetch-site - HTTPS upgrade - POST');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpsOrigin', 'httpOrigin', 'httpsOrigin'], responseParams);
const userActivated = false;
return induceRequest('GET', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_own_property(headers, 'sec-fetch-site');
assert_array_equals(headers['sec-fetch-site'], ['cross-site']);
});
}, 'sec-fetch-site - HTTPS downgrade-upgrade - GET');
promise_test(() => {
const key = '{{uuid()}}';
const url = makeRequestURL(key, ['httpsOrigin', 'httpOrigin', 'httpsOrigin'], responseParams);
const userActivated = false;
return induceRequest('POST', url, userActivated)
.then(() => retrieve(key))
.then((headers) => {
assert_own_property(headers, 'sec-fetch-site');
assert_array_equals(headers['sec-fetch-site'], ['cross-site']);
});
}, 'sec-fetch-site - HTTPS downgrade-upgrade - POST');
</script>
</body>
</html>
Codebase Browser
chromium