Skip to content

Add isolated file-upload form variants for DLP E2E testing #77

Description

@twschiller

Context

The PixieBrix browser-extension file-upload DLP enforcer (activity Phase 5) gates uploads at the <form> submit vector and resolves the upload destination from the form's action — so apps/webext-e2e needs a faithful multipart form to drive it.

Today the advanced-fields page only has a file input nested inside the big catch-all <form class="input">, which has no action, no enctype, and no method. That's enough for the metadata-block-at-change test, but not for faithful submit/destination testing:

  • The destination resolves to the page URL only (can't exercise destination-scoped rules).
  • Submitting the shared catch-all form drags in every other field and does a real GET navigation.

A temporary E2E is landing against the catch-all form (using a synthetic submit event to avoid navigation), but we'd like a dedicated, isolated fixture to switch to.

Request

Add one or more isolated file-upload forms to the advanced-fields page (separate from <form class="input">), each with stable selectors (ids / aria-labels) and vendor-neutral example domains. Prioritized:

Must-have

  • Basic single-file multipart POST form<form action="/dlp-upload" method="post" enctype="multipart/form-data"> with a labeled <input type="file"> + a submit <button>. A same-origin action (a route that just returns 204) so an allowed upload doesn't error the page (tests will also route-intercept it).

Nice-to-have (each exercises a specific enforcer branch)

  • Cross-origin action — same form but action=\"https://uploads.example.com/files\", to test destination-scoped urlPattern rules (the enforcer judges origin + path).
  • formaction override — a form with one action plus a submit <button formaction=\"https://uploads.example.com/other\">; the enforcer prefers the submitter's formaction as the destination.
  • form=-associated input outside the form<input type=\"file\" form=\"<form-id>\"> living outside the <form> subtree; the enforcer reads form.elements to catch these.
  • Multiple-file input<input type=\"file\" multiple> for multi-file uploads.
  • Drag-and-drop dropzone — a labeled dropzone that accepts dropped files, for the drop/paste interception vectors (a later follow-up).

Constraints

  • Keep each form isolated from the existing catch-all <form class="input"> so submitting it doesn't serialize unrelated fields.
  • Stable, documented selectors (ids or aria-labels) — the E2E page object targets these.
  • Use neutral example.com domains for cross-origin actions.
  • The endpoint(s) can be a trivial 204 (Vercel serverless or a static handler) — no real storage needed.

Consumed by the pixiebrix-source apps/webext-e2e activity/file-upload DLP specs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions