-
Notifications
You must be signed in to change notification settings - Fork 6.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add WPT tests for basic authentication with SR based prefetch
- speculation-rules base prefetch logic should not send the username/passwords with prefetch request to cross origin urls. Bug: 1302365 Change-Id: I59dd147ecd590ce2e80a1652fbb12f78c16d0859 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3635863 Reviewed-by: Jeremy Roman <jbroman@chromium.org> Commit-Queue: Iman Saboori <isaboori@google.com> Cr-Commit-Position: refs/heads/main@{#1002029}
- Loading branch information
Showing
3 changed files
with
90 additions
and
3 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
...d_party/blink/web_tests/external/wpt/speculation-rules/prefetch/resources/authenticate.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
|
||
def main(request, response): | ||
def fmt(x): | ||
return f'"{x.decode("utf-8")}"' if x is not None else "undefined" | ||
|
||
purpose = request.headers.get("Purpose", b"").decode("utf-8") | ||
sec_purpose = request.headers.get("Sec-Purpose", b"").decode("utf-8") | ||
|
||
headers = [(b"Content-Type", b"text/html"), (b'WWW-Authenticate', 'Basic')] | ||
status = 200 if request.auth.username is not None or sec_purpose.startswith( | ||
"prefetch") else 401 | ||
|
||
content = f''' | ||
<!DOCTYPE html> | ||
<script src="/common/dispatcher/dispatcher.js"></script> | ||
<script src="utils.sub.js"></script> | ||
<script> | ||
window.requestHeaders = {{ | ||
purpose: "{purpose}", | ||
sec_purpose: "{sec_purpose}" | ||
}}; | ||
window.requestCredentials = {{ | ||
username: {fmt(request.auth.username)}, | ||
password: {fmt(request.auth.password)} | ||
}}; | ||
const uuid = new URLSearchParams(location.search).get('uuid'); | ||
window.executor = new Executor(uuid); | ||
</script> | ||
''' | ||
return status, headers, content |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
third_party/blink/web_tests/external/wpt/speculation-rules/prefetch/user-pass.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
<!DOCTYPE html> | ||
<meta name="timeout" content="long"> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/common/dispatcher/dispatcher.js"></script> | ||
<script src="/common/utils.js"></script> | ||
<script src="resources/utils.sub.js"></script> | ||
<meta name="variant" content="?cross-origin=true"> | ||
<meta name="variant" content="?cross-origin=false"> | ||
<script> | ||
let cross_origin = Object.fromEntries(new URLSearchParams(location.search))["cross-origin"] === "true"; | ||
promise_test(async t => { | ||
assert_implements(HTMLScriptElement.supports('speculationrules'), "Speculation Rules not supported"); | ||
|
||
let executor = "authenticate.py"; | ||
let credentials = { username: "user", password: "pass" }; | ||
let agent = await spawnWindow(t, { executor, ...credentials }); | ||
let request_credentials = await agent.getRequestCredentials(); | ||
assert_equals(request_credentials.username, credentials.username); | ||
assert_equals(request_credentials.password, credentials.password); | ||
|
||
let host = cross_origin ? { hostname: PREFETCH_PROXY_BYPASS_HOST } : {}; | ||
let nextUrl = agent.getExecutorURL({ page: 2, executor, ...host }); | ||
await agent.forceSinglePrefetch(nextUrl, { requires: ["anonymous-client-ip-when-cross-origin"] }); | ||
await agent.navigate(nextUrl); | ||
|
||
let requestHeaders = await agent.getRequestHeaders(); | ||
request_credentials = await agent.getRequestCredentials(); | ||
if (cross_origin) { | ||
assert_equals(request_credentials.username, undefined); | ||
assert_equals(request_credentials.password, undefined); | ||
|
||
assert_in_array(requestHeaders.purpose, ["", "prefetch"]); | ||
assert_equals(requestHeaders.sec_purpose, "prefetch;anonymous-client-ip"); | ||
} | ||
else { | ||
assert_equals(request_credentials.username, credentials.username); | ||
assert_equals(request_credentials.password, credentials.password); | ||
|
||
assert_prefetched(await agent.getRequestHeaders()); | ||
} | ||
|
||
}, "test www-authenticate basic does not forward credentials to cross-origin pages."); | ||
</script> |