| <!doctype html> |
| <html> |
| <head> |
| <meta http-equiv="Content-Security-Policy" content="connect-src 'self'"> |
| <meta charset="utf-8"> |
| <title>SendBeacon CSP blocking on redirect</title> |
| <script src=/resources/testharness.js></script> |
| <script src=/resources/testharnessreport.js></script> |
| </head> |
| <body> |
| <script src="/common/utils.js"></script> |
| <script src="/common/get-host-info.sub.js"></script> |
| <script> |
| var RESOURCES_DIR = "/WebKit/beacon/resources/"; |
| |
| function pollResult(test, id) { |
| var checkUrl = RESOURCES_DIR + "beacon-preflight.py?cmd=get&id=" + id; |
| |
| return new Promise(resolve => { |
| step_timeout(test.step_func(() => { |
| fetch(checkUrl).then(response => { |
| response.json().then(body => { |
| resolve(body); |
| }); |
| }); |
| }), 1000); |
| }); |
| } |
| |
| function testCORSPreflightRedirectSuccess(what) { |
| var testBase = get_host_info().HTTP_REMOTE_ORIGIN + RESOURCES_DIR; |
| var id = "2539e883-7dfb-4dde-a227-a41c670d5fe1"; // Use a static token because the URL is logged. |
| var target = encodeURIComponent(testBase + "beacon-preflight.py?allowCors=1&cmd=put&id=" + id); |
| |
| // 307 & 308 redirections are the only ones that maintain the POST method. |
| var testUrl = RESOURCES_DIR + "redirect.py?redirect_status=307&location=" + target; |
| |
| promise_test(function(test) { |
| assert_true(navigator.sendBeacon(testUrl, what), "SendBeacon Succeeded"); |
| return pollResult(test, id) .then(result => { |
| assert_equals(result['preflight'], 0, "Did not receive preflight") |
| assert_equals(result['beacon'], 0, "Did not receive beacon") |
| }); |
| }, "Redirect is blocked by CSP"); |
| } |
| |
| testCORSPreflightRedirectSuccess("123"); |
| </script> |
| </body> |
| </html> |
