Bug 1660433 [wpt PR 25176] - Subresource WebBundles: Same-origin restriction, a=testonly
authorKunihiko Sakamoto <ksakamoto@chromium.org>
Wed, 26 Aug 2020 08:56:09 +0000
changeset 546511 9a018bb082cd1738e5ced948c17d080d86859178
parent 546510 791dc71d54e6c34f7e6e401e0c29809c83e456a1
child 546512 da0ab35e39da3da16ae24803a4e3467c9f8176ac
push id37735
push userabutkovits@mozilla.com
push dateThu, 27 Aug 2020 21:29:40 +0000
treeherdermozilla-central@109f3a4de567 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1660433, 25176, 1120252, 2368618, 800907
milestone82.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1660433 [wpt PR 25176] - Subresource WebBundles: Same-origin restriction, a=testonly Automatic update from web-platform-tests Subresource WebBundles: Same-origin restriction This patch restricts subresource loading from WebBundles only to same-origin resources, i.e. origin of subresource URL must be same-origin with the origin of the enclosing WebBundle's URL. Bug: 1120252 Change-Id: Ic999c4582385560f22a1251c37bd3572f0ffd2bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2368618 Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Hayato Ito <hayato@chromium.org> Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org> Cr-Commit-Position: refs/heads/master@{#800907} -- wpt-commits: aa022e797e89bbc1c2f607970efaf3313bbcf386 wpt-pr: 25176
testing/web-platform/tests/web-bundle/resources/dynamic/__dir__.headers
testing/web-platform/tests/web-bundle/resources/generate-test-wbns.sh
testing/web-platform/tests/web-bundle/resources/wbn/dynamic1-crossorigin.wbn
testing/web-platform/tests/web-bundle/resources/wbn/subresource.wbn
testing/web-platform/tests/web-bundle/subresource-loading/subresource-loading-from-web-bundle.tentative.html
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/web-bundle/resources/dynamic/__dir__.headers
@@ -0,0 +1,1 @@
+Access-Control-Allow-Origin: *
--- a/testing/web-platform/tests/web-bundle/resources/generate-test-wbns.sh
+++ b/testing/web-platform/tests/web-bundle/resources/generate-test-wbns.sh
@@ -17,26 +17,33 @@ gen-bundle \
   -version b1 \
   -baseURL $wpt_test_https_origin/web-bundle/resources/wbn/ \
   -primaryURL $wpt_test_https_origin/web-bundle/resources/wbn/location.html \
   -dir location/ \
   -o wbn/location.wbn
 
 gen-bundle \
   -version b1 \
-  -baseURL https://subresource-wbn.example/ \
-  -primaryURL https://subresource-wbn.example/root.js \
+  -baseURL $wpt_test_http_origin/ \
+  -primaryURL $wpt_test_http_origin/root.js \
   -dir subresource/ \
   -o wbn/subresource.wbn
 
 gen-bundle \
   -version b1 \
   -baseURL $wpt_test_http_origin/web-bundle/resources/dynamic/ \
   -primaryURL $wpt_test_http_origin/web-bundle/resources/dynamic/resource1.js \
   -dir dynamic1/ \
   -o wbn/dynamic1.wbn
 
 gen-bundle \
   -version b1 \
   -baseURL $wpt_test_http_origin/web-bundle/resources/dynamic/ \
   -primaryURL $wpt_test_http_origin/web-bundle/resources/dynamic/resource1.js \
   -dir dynamic2/ \
   -o wbn/dynamic2.wbn
+
+gen-bundle \
+  -version b1 \
+  -baseURL $wpt_test_https_origin/web-bundle/resources/dynamic/ \
+  -primaryURL $wpt_test_https_origin/web-bundle/resources/dynamic/resource1.js \
+  -dir dynamic1/ \
+  -o wbn/dynamic1-crossorigin.wbn
new file mode 100644
index 0000000000000000000000000000000000000000..a35e12aa0a2cb5b6757a9efabb1f3a657a456835
GIT binary patch
literal 1206
zc%0Rdu};EJ6o!E~`2;YS+>OQ3+fs}vF)^rt7;z%XdfOi0lJ?%4-cy0W1sf*^6CZ#@
zeFR5*B~~|^s!WbuIOBhk@BdEDV{fy1dfu#F-p@U&RGRlDh)TPrIRnp7A;Xc3qXvRT
z_t<fqJoXY1gkZ*?WfJ?K&0rx|#QkkzHKzJD1ug=Z*UBB9<w^<-x>osGz82T<a9Xae
zi^17BuKHONubJ~|<@=(5&JVECuCCMNFn#N~8W|?~%%=3pmjXecfeQsUOsSCj47n8M
zl-)7y$6R5b`93H#VkX9*FT6$8-w&BaBa#6haR`P7gGq8otRr%ngv6#cCDe8)b!~@q
z`-AJhk`TlgC!JPv*n+u|F_LVfkz}Sxh~$LSw?87ISVrXc6ss}wM7_PgEB5wI+c$UG
N-uc(QSITGa;~P2VurvSw
index 395039dc216250729ed75bdab2c10a7f16998f16..4d059e7c0b819500c437529446158d2884915c4c
GIT binary patch
literal 517
zc%03Vy-EW?6onJP#wS=oVHybpH#<9ugcU*jAwi94LfB4bH#f<I$;>cwH*VS(tSkf{
zARt80r^_R_1TAdD(%YVU&iUXxHdl+M=hfon?IH<FrF?IQXrdsvhr~CMV_(~G4Z&el
zr!)+#)>s?4?i_^bLGIlN3(jcez-^b?v)4cRA5P2OdtUwh*Ja6A_c94<gZJSrXR~;|
zY(x$@X6~F(dXs8}pwP#ufi5>jij<?!Dj4wzcc~QyTRcs{pl`VvfV)hlMMFz+hklVR
z`T~0KZfBV7lkkXKWs)$;D4{H(G-8LO(dyiOmq<_p9G)Gpm_Tl{MN%bwtH-2L`vF@y
h-uf4ytRC-tffkBGQf!q;BqyZOzAhk}rS)xWegf4+wAcUu
--- a/testing/web-platform/tests/web-bundle/subresource-loading/subresource-loading-from-web-bundle.tentative.html
+++ b/testing/web-platform/tests/web-bundle/subresource-loading/subresource-loading-from-web-bundle.tentative.html
@@ -3,20 +3,20 @@
 <link
   rel="help"
   href="https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md"
 />
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <body>
   <link id="link-web-bundle" rel="webbundle" href="../resources/wbn/subresource.wbn"
-        resources="https://subresource-wbn.example/root.js https://subresource-wbn.example/submodule.js" />
+        resources="http://web-platform.test:8001/root.js http://web-platform.test:8001/submodule.js" />
   <script>
     promise_test(async () => {
-      const module = await import('https://subresource-wbn.example/root.js');
+      const module = await import('http://web-platform.test:8001/root.js');
       assert_equals(module.result, 'OK');
     }, "Subresource loading with WebBundle");
 
     promise_test(async () => {
       const link = document.createElement("link");
       link.rel = "webbundle";
       link.href = "../resources/wbn/dynamic1.wbn";
       link.resources.add('http://web-platform.test:8001/web-bundle/resources/dynamic/resource1.js',
@@ -44,18 +44,28 @@
       return addLinkAndWaitForLoad("../resources/wbn/dynamic1.wbn?test-event");
     }, '<link rel="webbundle"> fires a load event on load success');
 
     promise_test((t) => {
       return addLinkAndWaitForError("../resources/wbn/nonexistent.wbn");
     }, '<link rel="webbundle"> fires an error event on load failure');
 
     promise_test(async () => {
+      const link = document.createElement('link');
+      link.rel = 'webbundle';
+      link.href = '../resources/wbn/dynamic1-crossorigin.wbn';
+      link.resources = 'https://web-platform.test:8444/web-bundle/resources/dynamic/resource1.js';
+      document.body.appendChild(link);
+      const module = await import(link.resources);
+      assert_equals(module.result, 'resource1 from network');
+    }, 'Subresource URL must be same-origin with bundle URL');
+
+    promise_test(async () => {
       const wbn_url = 'http://web-platform.test:8001/web-bundle/resources/wbn/subresource.wbn?test-resources-update';
-      const resource_url = 'https://subresource-wbn.example/submodule.js';
+      const resource_url = 'http://web-platform.test:8001/submodule.js';
       const link = await addLinkAndWaitForLoad(wbn_url);
       link.resources.add(resource_url);
       const resp = await fetch(resource_url, {cache: 'no-store'});
       assert_true(resp.ok);
       assert_equals(performance.getEntriesByName(wbn_url).length, 1);
     }, 'Updating resource= attribute should not reload the bundle');
 
     function addLinkAndWaitForLoad(url) {