| <!DOCTYPE html> |
| <script src=/resources/testharness.js></script> |
| <script src=/resources/testharnessreport.js></script> |
| <script src=/common/security-features/resources/common.sub.js></script> |
| <script src=/fetch/metadata/resources/helper.js></script> |
| <body> |
| <script> |
| // These tests reuse the `referrer-policy` infrastructure to load images that |
| // encode their request headers in their pixels. Fun stuff! |
| promise_test(() => |
| requestViaImage( |
| "https://{{host}}:{{ports[https][0]}}/common/security-features/subresource/image.py") |
| .then(result => { |
| headers = result.headers; |
| got = { |
| "mode": headers["sec-fetch-mode"], |
| "site": headers["sec-fetch-site"], |
| "user": headers["sec-fetch-user"], |
| "dest": headers["sec-fetch-dest"] |
| }; |
| assert_header_equals(got, { |
| "site": "same-origin", |
| // Note that we're using `undefined` here, as opposed to "" elsewhere because of the way |
| // that `image.py` encodes data. |
| "user": undefined, |
| "mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin` |
| "dest": "image" |
| }, "Same-origin image"); |
| }), |
| "Same-origin image"); |
| |
| promise_test(() => |
| requestViaImage( |
| "https://{{hosts[][www]}}:{{ports[https][0]}}/common/security-features/subresource/image.py") |
| .then(result => { |
| headers = result.headers; |
| got = { |
| "mode": headers["sec-fetch-mode"], |
| "site": headers["sec-fetch-site"], |
| "user": headers["sec-fetch-user"], |
| "dest": headers["sec-fetch-dest"] |
| }; |
| assert_header_equals(got, { |
| "site": "same-site", |
| // Note that we're using `undefined` here, as opposed to "" elsewhere because of the way |
| // that `image.py` encodes data. |
| "user": undefined, |
| "mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin` |
| "dest": "image" |
| }, "Same-site image"); |
| }), |
| "Same-site image"); |
| |
| promise_test(() => |
| requestViaImage( |
| "https://{{hosts[alt][www]}}:{{ports[https][0]}}/common/security-features/subresource/image.py") |
| .then(result => { |
| headers = result.headers; |
| got = { |
| "mode": headers["sec-fetch-mode"], |
| "site": headers["sec-fetch-site"], |
| "user": headers["sec-fetch-user"], |
| "dest": headers["sec-fetch-dest"] |
| }; |
| assert_header_equals(got, { |
| "site": "cross-site", |
| // Note that we're using `undefined` here, as opposed to "" elsewhere because of the way |
| // that `image.py` encodes data. |
| "user": undefined, |
| "mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin` |
| "dest": "image" |
| }, "Cross-site image"); |
| }), |
| "Cross-site image"); |
| </script> |