<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Resource Timing TAO - "null" and opaque origin</title>
<link rel="author" title="Google" href="http://www.google.com/" />
<link rel="help" href="https://www.w3.org/TR/resource-timing-2/#timing-allow-origin"/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
</head>
<body>
<h1>Description</h1>
<p>This test validates that, for a cross origin resource, the timing allow
check algorithm will correctly distinguish between 'null' and 'Null' values in
the Timing-Allow-Origin header. An opaque origin's serialization is the string
"null" and the timing allow origin check needs to do a case-sensitive comparison
to the Timing-Allow-Origin header.
</p>
<iframe id="frameContext"></iframe>
<script>
const {ORIGIN} = get_host_info();
const url = `${ORIGIN}/resource-timing/resources/TAOResponse.py`;
const frame_content = `data:text/html;utf8,<body>
<script src="${ORIGIN}/resources/testharness.js"></` + `script>
<script src="${ORIGIN}/resource-timing/resources/entry-invariants.js">
</` + `script>
<script>
attribute_test(fetch, "${url}?tao=null",
invariants.assert_tao_pass_no_redirect_http,
"An opaque origin should be authorized to see resource timings when the" +
"TAO header is the string 'null'");
attribute_test(fetch, "${url}?tao=Null",
invariants.assert_tao_failure_resource,
"An opaque origin must not be authorized to see resource timings when " +
"the TAO header is the string 'Null'. (The check for 'null' must be " +
"case-sensitive)");
</` + `script>
</body>`;
frameContext.style = "display:none";
frameContext.src = frame_content;
fetch_tests_from_window(frameContext.contentWindow);
</script>
</body>
</html>