diff --git a/fetch/cross-origin-resource-policy/resources/green.png b/fetch/cross-origin-resource-policy/resources/green.png new file mode 100644 index 000000000000000..28a1faab37797ef Binary files /dev/null and b/fetch/cross-origin-resource-policy/resources/green.png differ diff --git a/fetch/cross-origin-resource-policy/resources/hello.py b/fetch/cross-origin-resource-policy/resources/hello.py new file mode 100644 index 000000000000000..2b7cb6c6fc9fa99 --- /dev/null +++ b/fetch/cross-origin-resource-policy/resources/hello.py @@ -0,0 +1,6 @@ +def main(request, response): + headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])] + if 'origin' in request.headers: + headers.append(('Access-Control-Allow-Origin', request.headers['origin'])) + + return 200, headers, "hello" diff --git a/fetch/cross-origin-resource-policy/resources/image.py b/fetch/cross-origin-resource-policy/resources/image.py new file mode 100644 index 000000000000000..ad9295cf6828740 --- /dev/null +++ b/fetch/cross-origin-resource-policy/resources/image.py @@ -0,0 +1,20 @@ +import os.path + +def main(request, response): + type = request.GET.first("type", None) + + body = open(os.path.join(os.path.dirname(__file__), "green.png"), "rb").read() + + response.add_required_headers = False + response.writer.write_status(200) + + if 'corp' in request.GET: + response.writer.write_header("cross-origin-resource-policy", request.GET['corp']) + if 'acao' in request.GET: + response.writer.write_header("access-control-allow-origin", request.GET['acao']) + response.writer.write_header("content-length", len(body)) + if(type != None): + response.writer.write_header("content-type", type) + response.writer.end_headers() + + response.writer.write(body) diff --git a/fetch/cross-origin-resource-policy/scheme-restriction.any.js b/fetch/cross-origin-resource-policy/scheme-restriction.any.js new file mode 100644 index 000000000000000..d16c59024741074 --- /dev/null +++ b/fetch/cross-origin-resource-policy/scheme-restriction.any.js @@ -0,0 +1,7 @@ +// META: script=/common/get-host-info.sub.js + +promise_test(t => { + return promise_rejects(t, + new TypeError(), + fetch(get_host_info().HTTPS_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site", { mode: "no-cors" })); +}, "Cross-Origin-Resource-Policy: same-site's scheme restriction"); diff --git a/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js b/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js new file mode 100644 index 000000000000000..4c7457187419e05 --- /dev/null +++ b/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js @@ -0,0 +1,13 @@ +// META: script=/common/get-host-info.sub.js + +promise_test(t => { + const img = new Image(); + img.src = get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/image.py?corp=same-site"; + return new Promise((resolve, reject) => { + img.onload = resolve; + img.onerror = reject; + document.body.appendChild(img); + }).finally(() => { + img.remove(); + }); +}, "Cross-Origin-Resource-Policy does not block Mixed Content ");