Correctly assert the conditions related to top-level navigation

wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java

@@ -42,10 +42,12 @@ public class FetchMetadataResourceIsolationPolicy implements IResourceIsolationP
 	public static final String SAME_SITE = "same-site";
 	public static final String NONE = "none";
 	public static final String MODE_NAVIGATE = "navigate";
+	public static final String MODE_NO_CORS = "no-cors";
 	public static final String DEST_OBJECT = "object";
 	public static final String DEST_EMBED = "embed";
 	public static final String CROSS_SITE = "cross-site";
 	public static final String CORS = "cors";
+	public static final String DEST_DOCUMENT = "document";
 	public static final String DEST_SCRIPT = "script";
 	public static final String DEST_IMAGE = "image";
 
@@ -83,7 +85,7 @@ private boolean isAllowedTopLevelNavigation(HttpServletRequest request)
 		String dest = request.getHeader(SEC_FETCH_DEST_HEADER);
 
 		boolean isSimpleTopLevelNavigation = MODE_NAVIGATE.equals(mode)
-			&& "GET".equals(request.getMethod());
+			&& "GET".equalsIgnoreCase(request.getMethod());
 		boolean isNotObjectOrEmbedRequest = !DEST_EMBED.equals(dest) && !DEST_OBJECT.equals(dest);
 
 		return isSimpleTopLevelNavigation && isNotObjectOrEmbedRequest;

wicket-core/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java

@@ -19,8 +19,9 @@
 import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.CROSS_SITE;
 import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.DEST_EMBED;
 import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.DEST_OBJECT;
+import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.DEST_DOCUMENT;
 import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.MODE_NAVIGATE;
-import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SAME_ORIGIN;
+import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.MODE_NO_CORS;
 import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SAME_SITE;
 import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SEC_FETCH_DEST_HEADER;
 import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SEC_FETCH_MODE_HEADER;
@@ -85,6 +86,19 @@ void destEmbedFMAborted()
 		assertRequestAborted();
 	}
 
+	/**
+	 * Tests whether cross site requests are aborted
+	 */
+	@Test
+	void destNoCorsGetAborted()
+	{
+		tester.addRequestHeader(SEC_FETCH_SITE_HEADER, CROSS_SITE);
+		tester.addRequestHeader(SEC_FETCH_DEST_HEADER, DEST_DOCUMENT);
+		tester.addRequestHeader(SEC_FETCH_MODE_HEADER, MODE_NO_CORS);
+
+		assertRequestAborted();
+	}
+
 	/**
 	 * Tests whether object requests (sec-fetch-dest :"object" ) are aborted by FM checks
 	 */
@@ -103,7 +117,7 @@ void destObjectAborted()
 	@Test
 	void topLevelNavigationAllowedFM()
 	{
-		tester.addRequestHeader(SEC_FETCH_SITE_HEADER, SAME_ORIGIN);
+		tester.addRequestHeader(SEC_FETCH_SITE_HEADER, CROSS_SITE);
 		tester.addRequestHeader(SEC_FETCH_MODE_HEADER, MODE_NAVIGATE);
 
 		assertRequestAccepted();
@@ -191,15 +205,17 @@ void whenCrossOriginRequestToExempted_thenRequestAccepted()
 
 	private void assertRequestAborted()
 	{
+		tester.getRequest().setMethod("GET");
 		tester.clickLink("link");
-		assertEquals(tester.getLastResponse().getStatus(),
-			javax.servlet.http.HttpServletResponse.SC_FORBIDDEN);
-		assertEquals(tester.getLastResponse().getErrorMessage(),
-			ResourceIsolationRequestCycleListener.ERROR_MESSAGE);
+		assertEquals(javax.servlet.http.HttpServletResponse.SC_FORBIDDEN,
+			tester.getLastResponse().getStatus());
+		assertEquals(ResourceIsolationRequestCycleListener.ERROR_MESSAGE,
+			tester.getLastResponse().getErrorMessage());
 	}
 
 	private void assertRequestAccepted()
 	{
+		tester.getRequest().setMethod("GET");
 		tester.clickLink("link");
 		tester.assertRenderedPage(SecondPage.class);
 	}