From f28d054672d8415ef8a729aa4a6ee4e0eef02de9 Mon Sep 17 00:00:00 2001
From: srichert <sebastienrichert@gmail.com>
Date: Tue, 28 Mar 2023 13:41:46 -0400
Subject: [PATCH 1/2] test: Restrain sending http credentials on a specific
 origin (for driver 1.33 roll)

Verify that the httpCredentials are not sent when origin mismatch (scheme or hostname or port). See https://github.com/microsoft/playwright/pull/20374
---
 .../TestBrowserContextCredentials.java        | 37 +++++++++++++++++++
 .../playwright/TestBrowserContextFetch.java   | 33 +++++++++++++++++
 .../microsoft/playwright/TestGlobalFetch.java | 31 ++++++++++++++++
 .../java/com/microsoft/playwright/Utils.java  | 14 +++++++
 4 files changed, 115 insertions(+)

diff --git a/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextCredentials.java b/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextCredentials.java
index 55b62b4d9..5703120ae 100644
--- a/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextCredentials.java
+++ b/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextCredentials.java
@@ -16,6 +16,7 @@
 
 package com.microsoft.playwright;
 
+import com.microsoft.playwright.options.HttpCredentials;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.DisabledIf;
 
@@ -74,4 +75,40 @@ void shouldReturnResourceBody() {
       assertTrue(new String(response.body()).contains("Playground"));
     }
   }
+
+  @Test
+  void shouldFailWithCorrectCredentialsAndWrongOriginScheme() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(Utils.generateDifferentOriginScheme(server));
+    try (BrowserContext context = browser.newContext(new Browser.NewContextOptions().setHttpCredentials(httpCredentials))) {
+      Page page = context.newPage();
+      Response response = page.navigate(server.EMPTY_PAGE);
+      assertEquals(401, response.status());
+    }
+  }
+
+  @Test
+  void shouldFailWithCorrectCredentialsAndWrongOriginHostname() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(Utils.generateDifferentOriginHostname(server));
+    try (BrowserContext context = browser.newContext(new Browser.NewContextOptions().setHttpCredentials(httpCredentials))) {
+      Page page = context.newPage();
+      Response response = page.navigate(server.EMPTY_PAGE);
+      assertEquals(401, response.status());
+    }
+  }
+
+  @Test
+  void shouldFailWithCorrectCredentialsAndWrongOriginPort() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(Utils.generateDifferentOriginPort(server));
+    try (BrowserContext context = browser.newContext(new Browser.NewContextOptions().setHttpCredentials(httpCredentials))) {
+      Page page = context.newPage();
+      Response response = page.navigate(server.EMPTY_PAGE);
+      assertEquals(401, response.status());
+    }
+  }
 }
diff --git a/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextFetch.java b/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextFetch.java
index c97e66074..6e975ce8b 100644
--- a/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextFetch.java
+++ b/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextFetch.java
@@ -671,4 +671,37 @@ void shouldAbortRequestsWhenBrowserContextCloses() {
     e = assertThrows(PlaywrightException.class, () ->  context.request().post(server.EMPTY_PAGE));
     assertTrue(e.getMessage().contains("Target page, context or browser has been closed"), e.getMessage());
   }
+
+  @Test
+  void shouldReturnErrorWithCorrectCredentialsAndWrongOriginScheme() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(Utils.generateDifferentOriginScheme(server));
+    try (BrowserContext context = browser.newContext(new Browser.NewContextOptions().setHttpCredentials(httpCredentials))) {
+      APIResponse response = context.request().get(server.EMPTY_PAGE);
+      assertEquals(401, response.status());
+    }
+  }
+
+  @Test
+  void shouldReturnErrorWithCorrectCredentialsAndWrongOriginHostname() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(Utils.generateDifferentOriginHostname(server));
+    try (BrowserContext context = browser.newContext(new Browser.NewContextOptions().setHttpCredentials(httpCredentials))) {
+      APIResponse response = context.request().get(server.EMPTY_PAGE);
+      assertEquals(401, response.status());
+    }
+  }
+
+  @Test
+  void shouldReturnErrorWithCorrectCredentialsAndWrongOriginPort() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(Utils.generateDifferentOriginPort(server));
+    try (BrowserContext context = browser.newContext(new Browser.NewContextOptions().setHttpCredentials(httpCredentials))) {
+      APIResponse response = context.request().get(server.EMPTY_PAGE);
+      assertEquals(401, response.status());
+    }
+  }
 }
diff --git a/playwright/src/test/java/com/microsoft/playwright/TestGlobalFetch.java b/playwright/src/test/java/com/microsoft/playwright/TestGlobalFetch.java
index d6cc1c91b..da3fbd9c3 100644
--- a/playwright/src/test/java/com/microsoft/playwright/TestGlobalFetch.java
+++ b/playwright/src/test/java/com/microsoft/playwright/TestGlobalFetch.java
@@ -1,6 +1,7 @@
 package com.microsoft.playwright;
 
 import com.google.gson.Gson;
+import com.microsoft.playwright.options.HttpCredentials;
 import com.microsoft.playwright.options.HttpHeader;
 import com.microsoft.playwright.options.RequestOptions;
 import org.junit.jupiter.api.Disabled;
@@ -411,4 +412,34 @@ void shouldNotModifyRequestMethodInOptions() {
     request.dispose();
   }
 
+  @Test
+  void shouldReturnErrorWithCorrectCredentialsAndWrongOriginScheme() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(Utils.generateDifferentOriginScheme(server));
+    APIRequestContext request = playwright.request().newContext(new APIRequest.NewContextOptions().setHttpCredentials(httpCredentials));
+    APIResponse response = request.get(server.EMPTY_PAGE);
+    assertEquals(401, response.status());
+  }
+
+  @Test
+  void shouldReturnErrorWithCorrectCredentialsAndWrongOriginHostname() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(Utils.generateDifferentOriginHostname(server));
+    APIRequestContext request = playwright.request().newContext(new APIRequest.NewContextOptions().setHttpCredentials(httpCredentials));
+    APIResponse response = request.get(server.EMPTY_PAGE);
+    assertEquals(401, response.status());
+  }
+
+  @Test
+  void shouldReturnErrorWithCorrectCredentialsAndWrongOriginPort() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(Utils.generateDifferentOriginPort(server));
+    APIRequestContext request = playwright.request().newContext(new APIRequest.NewContextOptions().setHttpCredentials(httpCredentials));
+    APIResponse response = request.get(server.EMPTY_PAGE);
+    assertEquals(401, response.status());
+  }
+
 }
diff --git a/playwright/src/test/java/com/microsoft/playwright/Utils.java b/playwright/src/test/java/com/microsoft/playwright/Utils.java
index 479fa0e55..61e4862b6 100644
--- a/playwright/src/test/java/com/microsoft/playwright/Utils.java
+++ b/playwright/src/test/java/com/microsoft/playwright/Utils.java
@@ -196,4 +196,18 @@ static void verifyViewport(Page page, int width, int height) {
     assertEquals(width, page.evaluate("window.innerWidth"));
     assertEquals(height, page.evaluate("window.innerHeight"));
   }
+
+  static String generateDifferentOriginScheme(final Server server){
+    return server.PREFIX.startsWith("http://") ?
+      server.PREFIX.replace("http://", "https://") :
+      server.PREFIX.replace("https://", "http://");
+  }
+
+  static String generateDifferentOriginHostname(final Server server){
+    return server.PREFIX.replace("localhost", "mismatching-hostname");
+  }
+
+  static String generateDifferentOriginPort(final Server server){
+    return server.PREFIX.replace(String.valueOf(server.PORT), String.valueOf(server.PORT+1));
+  }
 }

From 9f628075af70fd1213e699c3837bd4a3adebaee6 Mon Sep 17 00:00:00 2001
From: srichert <sebastienrichert@gmail.com>
Date: Tue, 18 Apr 2023 17:14:07 -0400
Subject: [PATCH 2/2] test: Restrain sending http credentials on a specific
 origin

Verify that the httpCredentials are not sent when origin mismatch (scheme or hostname or port). See https://github.com/microsoft/playwright/pull/20374
---
 .../TestBrowserContextCredentials.java        | 26 +++++++++++++++
 .../playwright/TestBrowserContextFetch.java   | 30 +++++++++++++++++
 .../microsoft/playwright/TestGlobalFetch.java | 32 +++++++++++++++++++
 3 files changed, 88 insertions(+)

diff --git a/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextCredentials.java b/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextCredentials.java
index 5703120ae..e9ce80aa4 100644
--- a/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextCredentials.java
+++ b/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextCredentials.java
@@ -76,6 +76,32 @@ void shouldReturnResourceBody() {
     }
   }
 
+  @Test
+  void shouldWorkWithCorrectCredentialsAndMatchingOrigin() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(server.PREFIX);
+    try (BrowserContext context = browser.newContext(new Browser.NewContextOptions()
+      .setHttpCredentials(httpCredentials))) {
+      Page page = context.newPage();
+      Response response = page.navigate(server.EMPTY_PAGE);
+      assertEquals(200, response.status());
+    }
+  }
+
+  @Test
+  void shouldWorkWithCorrectCredentialsAndMatchingOriginCaseInsensitive() {
+    server.setAuth("/empty.html", "user", "pass");
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(server.PREFIX.toUpperCase());
+    try (BrowserContext context = browser.newContext(new Browser.NewContextOptions()
+      .setHttpCredentials(httpCredentials))) {
+      Page page = context.newPage();
+      Response response = page.navigate(server.EMPTY_PAGE);
+      assertEquals(200, response.status());
+    }
+  }
+
   @Test
   void shouldFailWithCorrectCredentialsAndWrongOriginScheme() {
     server.setAuth("/empty.html", "user", "pass");
diff --git a/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextFetch.java b/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextFetch.java
index 6e975ce8b..c8869d223 100644
--- a/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextFetch.java
+++ b/playwright/src/test/java/com/microsoft/playwright/TestBrowserContextFetch.java
@@ -672,6 +672,36 @@ void shouldAbortRequestsWhenBrowserContextCloses() {
     assertTrue(e.getMessage().contains("Target page, context or browser has been closed"), e.getMessage());
   }
 
+  @Test
+  void shouldWorkWithSetHTTPCredentialsAndMatchingOrigin() throws ExecutionException, InterruptedException {
+    server.setAuth("/empty.html", "user", "pass");
+    APIResponse response1 = context.request().get(server.EMPTY_PAGE);
+    assertEquals(401, response1.status());
+
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(server.PREFIX);
+    try (BrowserContext context2 = browser.newContext(
+      new Browser.NewContextOptions().setHttpCredentials(httpCredentials))) {
+      APIResponse response2 = context2.request().get(server.EMPTY_PAGE);
+      assertEquals(200, response2.status());
+    }
+  }
+
+  @Test
+  void shouldWorkWithSetHTTPCredentialsAndMatchingOriginCaseInsensitive() throws ExecutionException, InterruptedException {
+    server.setAuth("/empty.html", "user", "pass");
+    APIResponse response1 = context.request().get(server.EMPTY_PAGE);
+    assertEquals(401, response1.status());
+
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(server.PREFIX.toUpperCase());
+    try (BrowserContext context2 = browser.newContext(
+      new Browser.NewContextOptions().setHttpCredentials(httpCredentials))) {
+      APIResponse response2 = context2.request().get(server.EMPTY_PAGE);
+      assertEquals(200, response2.status());
+    }
+  }
+
   @Test
   void shouldReturnErrorWithCorrectCredentialsAndWrongOriginScheme() {
     server.setAuth("/empty.html", "user", "pass");
diff --git a/playwright/src/test/java/com/microsoft/playwright/TestGlobalFetch.java b/playwright/src/test/java/com/microsoft/playwright/TestGlobalFetch.java
index da3fbd9c3..1b0b06ac4 100644
--- a/playwright/src/test/java/com/microsoft/playwright/TestGlobalFetch.java
+++ b/playwright/src/test/java/com/microsoft/playwright/TestGlobalFetch.java
@@ -412,6 +412,38 @@ void shouldNotModifyRequestMethodInOptions() {
     request.dispose();
   }
 
+  @Test
+  void shouldSupportGlobalHttpCredentialsOptionAndMatchingOrigin() {
+    server.setAuth("/empty.html", "user", "pass");
+    APIRequestContext request1 = playwright.request().newContext();
+    APIResponse response1 = request1.get(server.EMPTY_PAGE);
+    assertEquals(401, response1.status());
+    request1.dispose();
+
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(server.PREFIX);
+    APIRequestContext request2 = playwright.request().newContext(new APIRequest.NewContextOptions().setHttpCredentials(httpCredentials));
+    APIResponse response2 = request2.get(server.EMPTY_PAGE);
+    assertEquals(200, response2.status());
+    request2.dispose();
+  }
+
+  @Test
+  void shouldSupportGlobalHttpCredentialsOptionAndMatchingOriginCaseInsensitive() {
+    server.setAuth("/empty.html", "user", "pass");
+    APIRequestContext request1 = playwright.request().newContext();
+    APIResponse response1 = request1.get(server.EMPTY_PAGE);
+    assertEquals(401, response1.status());
+    request1.dispose();
+
+    final HttpCredentials httpCredentials = new HttpCredentials("user", "pass");
+    httpCredentials.setOrigin(server.PREFIX.toUpperCase());
+    APIRequestContext request2 = playwright.request().newContext(new APIRequest.NewContextOptions().setHttpCredentials(httpCredentials));
+    APIResponse response2 = request2.get(server.EMPTY_PAGE);
+    assertEquals(200, response2.status());
+    request2.dispose();
+  }
+
   @Test
   void shouldReturnErrorWithCorrectCredentialsAndWrongOriginScheme() {
     server.setAuth("/empty.html", "user", "pass");