From ef1a1646b6ed8a22a7ebbfe01cb55314bd11209b Mon Sep 17 00:00:00 2001
From: Rob Buis <rbuis@igalia.com>
Date: Wed, 5 Feb 2020 09:49:04 +0100
Subject: [PATCH] Add tests to verify origin headers sent by ping (#21485)

---
 ...der-origin-no-referrer-when-downgrade.html | 20 ++++++++++
 .../header-origin-no-referrer.html            | 20 ++++++++++
 ...eader-origin-origin-when-cross-origin.html | 20 ++++++++++
 .../header-origin-origin.html                 | 20 ++++++++++
 .../header-origin-same-origin.html            | 20 ++++++++++
 ...rigin-strict-origin-when-cross-origin.html | 20 ++++++++++
 .../header-origin-strict-origin.html          | 20 ++++++++++
 .../header-origin-unsafe-url.html             | 20 ++++++++++
 .../downloading-resources/header-origin.html  | 19 +++++++++
 .../downloading-resources/header-origin.js    | 40 +++++++++++++++++++
 10 files changed, 219 insertions(+)
 create mode 100644 html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html
 create mode 100644 html/semantics/links/downloading-resources/header-origin-no-referrer.html
 create mode 100644 html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html
 create mode 100644 html/semantics/links/downloading-resources/header-origin-origin.html
 create mode 100644 html/semantics/links/downloading-resources/header-origin-same-origin.html
 create mode 100644 html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html
 create mode 100644 html/semantics/links/downloading-resources/header-origin-strict-origin.html
 create mode 100644 html/semantics/links/downloading-resources/header-origin-unsafe-url.html
 create mode 100644 html/semantics/links/downloading-resources/header-origin.html
 create mode 100644 html/semantics/links/downloading-resources/header-origin.js

diff --git a/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html b/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html
new file mode 100644
index 00000000000000..466868dd7bf7c8
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header No Referrer When Downgrade Policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta name='referrer' content='no-referrer-when-downgrade'>
+          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+  <body>
+    <a id="a" href="#">
+    <script src="/common/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="/resources/chromium/enable-hyperlink-auditing.js"></script>
+    <script src="header-origin.js"></script>
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>
diff --git a/html/semantics/links/downloading-resources/header-origin-no-referrer.html b/html/semantics/links/downloading-resources/header-origin-no-referrer.html
new file mode 100644
index 00000000000000..cd7a1804f3b51e
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin-no-referrer.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header No Referrer Policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta name='referrer' content='no-referrer'>
+          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+  <body>
+    <a id="a" href="#">
+    <script src="/common/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="/resources/chromium/enable-hyperlink-auditing.js"></script>
+    <script src="header-origin.js"></script>
+    <script>
+      testOriginHeader("null");
+    </script>
+  </body>
+</html>
diff --git a/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html b/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html
new file mode 100644
index 00000000000000..98115aa6536301
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Origin When Cross Origin Policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta name='referrer' content='origin-when-cross-origin'>
+          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+  <body>
+    <a id="a" href="#">
+    <script src="/common/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="/resources/chromium/enable-hyperlink-auditing.js"></script>
+    <script src="header-origin.js"></script>
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>
diff --git a/html/semantics/links/downloading-resources/header-origin-origin.html b/html/semantics/links/downloading-resources/header-origin-origin.html
new file mode 100644
index 00000000000000..194ca9d4ad7cf5
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin-origin.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Origin Policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta name='referrer' content='origin'>
+          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+  <body>
+    <a id="a" href="#">
+    <script src="/common/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="/resources/chromium/enable-hyperlink-auditing.js"></script>
+    <script src="header-origin.js"></script>
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>
diff --git a/html/semantics/links/downloading-resources/header-origin-same-origin.html b/html/semantics/links/downloading-resources/header-origin-same-origin.html
new file mode 100644
index 00000000000000..eb86708d5bef09
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin-same-origin.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Same Origin Policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta name='referrer' content='same-origin'>
+          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+  <body>
+    <a id="a" href="#">
+    <script src="/common/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="/resources/chromium/enable-hyperlink-auditing.js"></script>
+    <script src="header-origin.js"></script>
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>
diff --git a/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html b/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html
new file mode 100644
index 00000000000000..f6514ff2ae097a
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Strict Origin When Cross Origin Policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta name='referrer' content='strict-origin-when-cross-origin'>
+          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+  <body>
+    <a id="a" href="#">
+    <script src="/common/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="/resources/chromium/enable-hyperlink-auditing.js"></script>
+    <script src="header-origin.js"></script>
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>
diff --git a/html/semantics/links/downloading-resources/header-origin-strict-origin.html b/html/semantics/links/downloading-resources/header-origin-strict-origin.html
new file mode 100644
index 00000000000000..4aa311e83319b8
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin-strict-origin.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Strict Origin Policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta name='referrer' content='strict-origin'>
+          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+  <body>
+    <a id="a" href="#">
+    <script src="/common/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="/resources/chromium/enable-hyperlink-auditing.js"></script>
+    <script src="header-origin.js"></script>
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>
diff --git a/html/semantics/links/downloading-resources/header-origin-unsafe-url.html b/html/semantics/links/downloading-resources/header-origin-unsafe-url.html
new file mode 100644
index 00000000000000..59742404fecb20
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin-unsafe-url.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Unsafe Url Policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta name='referrer' content='unsafe-url'>
+          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+  <body>
+    <a id="a" href="#">
+    <script src="/common/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="/resources/chromium/enable-hyperlink-auditing.js"></script>
+    <script src="header-origin.js"></script>
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>
diff --git a/html/semantics/links/downloading-resources/header-origin.html b/html/semantics/links/downloading-resources/header-origin.html
new file mode 100644
index 00000000000000..189e2e66d47f5f
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin.html
@@ -0,0 +1,19 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin no Referrer Policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+  <body>
+    <a id="a" href="#">
+    <script src="/common/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="/resources/chromium/enable-hyperlink-auditing.js"></script>
+    <script src="header-origin.js"></script>
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>
diff --git a/html/semantics/links/downloading-resources/header-origin.js b/html/semantics/links/downloading-resources/header-origin.js
new file mode 100644
index 00000000000000..acc62ef93b0592
--- /dev/null
+++ b/html/semantics/links/downloading-resources/header-origin.js
@@ -0,0 +1,40 @@
+const RESOURCES_DIR = "/html/semantics/links/downloading-resources/resources/";
+
+function testOriginHeader(expectedOrigin) {
+  var id = self.token();
+  let testUrl = RESOURCES_DIR + "inspect-header.py?header=origin&cmd=put&id=" + id;
+
+  promise_test(function(test) {
+    const anchor = document.getElementById("a");
+    anchor.setAttribute("ping", testUrl);
+    anchor.click();
+    return pollResult(id) .then(result => {
+      assert_equals(result, expectedOrigin, "Correct origin header result");
+    });
+  }, "Test origin header " + RESOURCES_DIR);
+}
+
+// Sending a ping is an asynchronous and non-blocking request to a web server.
+// We may have to create a poll loop to get result from server
+function pollResult(id) {
+  let checkUrl = RESOURCES_DIR + "inspect-header.py?header=origin&cmd=get&id=" + id;
+
+  return new Promise(resolve => {
+    function checkResult() {
+      fetch(checkUrl).then(
+        function(response) {
+          assert_equals(response.status, 200, "Inspect header response's status is 200");
+          let result = response.headers.get("x-request-origin");
+
+          if (result != undefined) {
+            resolve(result);
+          } else {
+            step_timeout(checkResult.bind(this), 100);
+          }
+        });
+    }
+
+    checkResult();
+  });
+
+}