Add WPT for COEP blocked iframe with Early Hints

Early Hints preload should not happen when an iframe violates Cross-Origin-Embedder-Policy. Bug: 1305896 Change-Id: Id8df2654c38e2b713267d85f338dee983444bac4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3640699 Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Kenichi Ishibashi <bashi@chromium.org> Cr-Commit-Position: refs/heads/main@{#1002544}
chromium · May 12, 2022 · e6ff654 · e6ff654
1 parent 218db8c
commit e6ff654
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 0 deletions.
diff --git a/third_party/blink/web_tests/external/wpt/loading/early-hints/iframe-coep-disallow.h2.html b/third_party/blink/web_tests/external/wpt/loading/early-hints/iframe-coep-disallow.h2.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<head>
+<meta charset="utf-8">
+<script src="/common/utils.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="resources/early-hints-helpers.sub.js"></script>
+</head>
+<body>
+<script>
+promise_test(async (t) => {
+    const iframe = document.createElement("iframe");
+
+    const resource_url = CROSS_ORIGIN_RESOURCES_URL + "/empty.js?" + token();
+    const params = new URLSearchParams();
+    params.set("resource-url", resource_url);
+    params.set("token", token());
+    const iframe_url = CROSS_ORIGIN_RESOURCES_URL + "/html-with-early-hints.h2.py?" + params.toString();
+
+    iframe.src = iframe_url;
+    document.body.appendChild(iframe);
+    // Make sure the iframe didn't load. See https://github.com/whatwg/html/issues/125 for why a
+    // timeout is used here. Long term all network error handling should be similar and have a
+    // reliable event.
+    assert_equals(iframe.contentDocument.body.localName, "body");
+    await t.step_wait(() => iframe.contentDocument === null);
+
+    // Fetch the hinted resource and make sure it's not preloaded.
+    await fetchScript(resource_url);
+    const entries = performance.getEntriesByName(resource_url);
+    assert_equals(entries.length, 1);
+    assert_not_equals(entries[0].transferSize, 0);
+}, "Early hints for an iframe that violates Cross-Origin-Embedder-Policy should be ignored.");
+</script>
+</body>
diff --git a/...rty/blink/web_tests/external/wpt/loading/early-hints/iframe-coep-disallow.h2.html.headers b/...rty/blink/web_tests/external/wpt/loading/early-hints/iframe-coep-disallow.h2.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/third_party/blink/web_tests/external/wpt/loading/early-hints/resources/empty.js.headers b/third_party/blink/web_tests/external/wpt/loading/early-hints/resources/empty.js.headers
@@ -1,3 +1,4 @@
 cache-control: max-age=600
 access-control-allow-origin: *
 timing-allow-origin: *
+cross-origin-resource-policy: cross-origin
diff --git a/...ty/blink/web_tests/external/wpt/loading/early-hints/resources/html-with-early-hints.h2.py b/...ty/blink/web_tests/external/wpt/loading/early-hints/resources/html-with-early-hints.h2.py
@@ -0,0 +1,18 @@
+def handle_headers(frame, request, response):
+    resource_url = request.GET.first(b"resource-url").decode()
+    link_header_value = "<{}>; rel=preload; as=script".format(resource_url)
+    early_hints = [
+        (b":status", b"103"),
+        (b"link", link_header_value),
+    ]
+    response.writer.write_raw_header_frame(headers=early_hints,
+                                           end_headers=True)
+
+    response.status = 200
+    response.headers[b"content-type"] = "text/html"
+    response.write_status_headers()
+
+
+def main(request, response):
+    content = "<!-- empty -->"
+    response.writer.write_data(item=content, last=True)