<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8" />
<title>Verify that encodedBodySize/decodedBodySize are CORS-protected rather than TAO-protected</title>
<link rel="author" title="Noam Rosenthal" href="[email protected]">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="/common/utils.js"></script>
</head>
<body>
<script>
const {ORIGIN, REMOTE_ORIGIN} = get_host_info();
async function test_body_size({mode, tao, expected_body_sizes}) {
promise_test(async t => {
const origin = mode === "same-origin" ? ORIGIN : REMOTE_ORIGIN;
const url = new URL(`${origin}/images/red.png?uid=${token()}`,
location.href);
const pipes = [];
if (mode === "cors")
pipes.push("header(Access-Control-Allow-Origin,*)");
if (tao)
pipes.push("header(Timing-Allow-Origin,*)");
const img = document.createElement("img");
if (mode === "cors")
img.crossOrigin = "anonymous";
if (pipes.length)
url.searchParams.set("pipe", pipes.join("|"));
img.src = url.toString();
await img.decode();
const [entry] = performance.getEntriesByName(url.toString());
if (expected_body_sizes) {
assert_greater_than(entry.encodedBodySize, 0);
assert_greater_than(entry.decodedBodySize, 0);
} else {
assert_equals(entry.encodedBodySize, 0);
assert_equals(entry.decodedBodySize, 0);
}
if (tao || mode === "same-origin")
assert_equals(entry.transferSize, entry.encodedBodySize + 300);
else
assert_equals(entry.transferSize, 0);
}, `Retrieving a ${mode} resource ${
tao ? "with" : "without"} Timing-Allow-Origin should ${
expected_body_sizes ? "expose" : "not expose"
} body size`);
}
test_body_size({mode: "same-origin", tao: false, expected_body_sizes: true});
test_body_size({mode: "same-origin", tao: true, expected_body_sizes: true});
test_body_size({mode: "no-cors", tao: false, expected_body_sizes: false});
test_body_size({mode: "no-cors", tao: true, expected_body_sizes: false});
test_body_size({mode: "cors", tao: false, expected_body_sizes: true});
test_body_size({mode: "cors", tao: true, expected_body_sizes: true});
</script>
</body>
</html>