WPT: CSS: Add cross-origin redirect tests.

This adds tests that stylesheets that result from requests that were redirected cross-origin are considered cross-origin. Note that A->B->A redirects, which redirect from cross-origin to same-origin, are considered cross-origin. See whatwg/fetch#737 and whatwg/fetch#834. In Blink, we have redirect tests at http/tests/security/cannot-read-cssrules-redirect.html. This WPT addition will supersede that test, but I won't yet remove it since it asserts the opposite for the A->B->A case. I can remove the test when Blink changes to pass this WPT test. Bug: 911974 Change-Id: Ie015c0390829299de7c29cff6685ddfcd774c66f
web-platform-tests · Dec 11, 2018 · 1178857 · 1178857
1 parent e35021b
commit 1178857
Showing 1 changed file with 35 additions and 15 deletions.
diff --git a/css/cssom/stylesheet-same-origin.sub.html b/css/cssom/stylesheet-same-origin.sub.html
@@ -7,41 +7,61 @@
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
 
-    <link id="crossorigin" href="http://www1.{{host}}:{{ports[http][1]}}/stylesheet-same-origin.css" rel="stylesheet">
+    <link id="crossorigin" href="http://www1.{{host}}:{{ports[http][1]}}/css/cssom/stylesheet-same-origin.css" rel="stylesheet">
     <link id="sameorigin" href="stylesheet-same-origin.css" rel="stylesheet">
     <link id="sameorigindata" href="data:text/css,.green-text{color:rgb(0, 255, 0)}" rel="stylesheet">
+    <link id="redirect-sameorigin-to-crossorigin"
+          href="/common/redirect.py?location=http://www1.{{host}}:{{ports[http][1]}}/css/cssom/stylesheet-same-origin.css"
+          rel="stylesheet">
+    <link id="redirect-crossorigin-to-sameorigin"
+          href="http://www1.{{host}}:{{ports[http][1]}}/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/css/cssom/stylesheet-same-origin.css"
+          rel="stylesheet">
 
     <script>
         var crossorigin = document.getElementById("crossorigin").sheet;
+        var redirectSameOriginToCrossOrigin = document.getElementById("redirect-sameorigin-to-crossorigin").sheet;
+        var redirectCrossOriginToSameOrigin = document.getElementById("redirect-crossorigin-to-sameorigin").sheet;
         var sameorigin = document.getElementById("sameorigin").sheet;
         var sameorigindata = document.getElementById("sameorigindata").sheet;
 
-        test(function() {
+        function doOriginCleanCheck(sheet, name) {
+            assert_equals(sheet.cssRules.length, 1, name + " stylesheet.cssRules should be accessible.");
+            sheet.insertRule("#test { margin: 10px; }", 1);
+            assert_equals(sheet.cssRules.length, 2, name + " stylesheet.insertRule should be accessible.");
+            sheet.deleteRule(0);
+            assert_equals(sheet.cssRules.length, 1, name + " stylesheet.deleteRule should be accessible.");
+        }
+
+        function doOriginDirtyCheck(sheet) {
             assert_throws("SecurityError",
                 function () {
-                    crossorigin.cssRules;
+                    sheet.cssRules;
                 },
-                "Cross origin stylesheet.cssRules should throw SecurityError.");
+                'stylesheet.cssRules should throw SecurityError.');
             assert_throws("SecurityError",
                 function () {
-                    crossorigin.insertRule("#test { margin: 10px; }", 1);
+                    sheet.insertRule("#test { margin: 10px; }", 1);
                 },
-                "Cross origin stylesheet.insertRule should throw SecurityError.");
+                'stylesheet.insertRule should throw SecurityError.');
 
             assert_throws("SecurityError",
                 function () {
-                    crossorigin.deleteRule(0);
+                    sheet.deleteRule(0);
                 },
-                "Cross origin stylesheet.deleteRule should throw SecurityError.");
+                'stylesheet.deleteRule should throw SecurityError.');
+        }
+
+        test(function() {
+            doOriginDirtyCheck(crossorigin);
         }, "Origin-clean check in cross-origin CSSOM Stylesheets");
 
-        function doOriginCleanCheck(sheet, name) {
-            assert_equals(sheet.cssRules.length, 1, name + " stylesheet.cssRules should be accessible.");
-            sheet.insertRule("#test { margin: 10px; }", 1);
-            assert_equals(sheet.cssRules.length, 2, name + " stylesheet.insertRule should be accessible.");
-            sheet.deleteRule(0);
-            assert_equals(sheet.cssRules.length, 1, name + " stylesheet.deleteRule should be accessible.");
-        }
+        test(function() {
+            doOriginDirtyCheck(redirectSameOriginToCrossOrigin);
+        }, "Origin-clean check in cross-origin CSSOM Stylesheets (redirect from same-origin to cross-origin)");
+
+        test(function() {
+            doOriginDirtyCheck(redirectCrossOriginToSameOrigin);
+        }, "Origin-clean check in cross-origin CSSOM Stylesheets (redirect from cross-origin to same-origin)");
 
         test(function() {
             doOriginCleanCheck(sameorigin, "Same-origin");