[Critical-CH] Ensure multiple headers are respected

As per https://www.rfc-editor.org/rfc/rfc2068#section-4.2 we need to be sure we treat: Critical-CH: A, B the same as: Critical-CH: A Critical-CH: B Bug: 1422562 Change-Id: I5ae8b5e7be3f05899c564415bf8785affd6c322a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4319465 Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Auto-Submit: Ari Chivukula <arichiv@chromium.org> Commit-Queue: Yoav Weiss <yoavweiss@chromium.org> Commit-Queue: Ari Chivukula <arichiv@chromium.org> Cr-Commit-Position: refs/heads/main@{#1114527}
web-platform-tests · Mar 8, 2023 · f419c90 · f419c90
1 parent d6dbd15
commit f419c90
Show file tree

Hide file tree

Showing 7 changed files with 54 additions and 3 deletions.
diff --git a/client-hints/critical-ch/iframe.https.window.js b/client-hints/critical-ch/iframe.https.window.js
@@ -6,3 +6,10 @@ async_test((t) => {
   document.body.appendChild(iframe);
   iframe.contentWindow.addEventListener('message', message_listener(t, "FAIL"));
 }, "Critical-CH iframe");
+
+async_test((t) => {
+  var iframe = document.createElement("iframe");
+  iframe.src = ECHO_URL+"?multiple=true";
+  document.body.appendChild(iframe);
+  iframe.contentWindow.addEventListener('message', message_listener(t, "FAIL"));
+}, "Critical-CH w/ multiple headers and iframe");
diff --git a/client-hints/critical-ch/mis-matched-count.https.window.js b/client-hints/critical-ch/mis-matched-count.https.window.js
@@ -2,3 +2,4 @@
 // META: script=/common/utils.js
 
 async_test(make_message_test(ECHO_URL+"?mismatch=true&token="+token(), "1"), "Critical-CH no restart on mismatched hints")
+async_test(make_message_test(ECHO_URL+"?multiple=true&mismatch=true&token="+token(), "1"), "Critical-CH w/ multiple headers and no restart on mismatched hints")
diff --git a/client-hints/critical-ch/mis-matched.https.window.js b/client-hints/critical-ch/mis-matched.https.window.js
@@ -1,3 +1,4 @@
 // META: script=resources/util.js
 
 async_test(make_message_test(ECHO_URL+"?mismatch=true", "FAIL"), "Critical-CH Mis-matched hints")
+async_test(make_message_test(ECHO_URL+"?multiple=true&mismatch=true", "FAIL"), "Critical-CH w/ multiple headers and Mis-matched hints")
diff --git a/client-hints/critical-ch/non-secure.http.window.js b/client-hints/critical-ch/non-secure.http.window.js
@@ -1,3 +1,4 @@
 // META: script=resources/util.js
 
 async_test(make_message_test(ECHO_URL, "FAIL"), "Critical-CH navigation non-secure")
+async_test(make_message_test(ECHO_URL+"?multiple=true", "FAIL"), "Critical-CH w/ multiple headers and navigation non-secure")
diff --git a/client-hints/critical-ch/resources/echo-critical-hint.py b/client-hints/critical-ch/resources/echo-critical-hint.py
@@ -11,13 +11,22 @@ def main(request, response):
     response.headers.append(b"Access-Control-Allow-Headers", b"*")
     response.headers.append(b"Access-Control-Expose-Headers", b"*")
 
-    response.headers.append(b"Accept-CH", b"sec-ch-device-memory,device-memory")
+    accept = b"sec-ch-device-memory,device-memory"
+    if(request.GET.first(b"multiple", None) is not None):
+      for accept_part in accept.split(b","):
+        response.headers.append(b"Accept-CH", accept_part)
+    else:
+      response.headers.append(b"Accept-CH", accept)
 
     critical = b"sec-ch-device-memory,device-memory"
     if(request.GET.first(b"mismatch", None) is not None):
       critical = b"sec-ch-viewport-width,viewport-width"
 
-    response.headers.append(b"Critical-CH", critical)
+    if(request.GET.first(b"multiple", None) is not None):
+      for critical_part in critical.split(b","):
+        response.headers.append(b"Critical-CH", critical_part)
+    else:
+      response.headers.append(b"Critical-CH", critical)
 
     response.headers.append(b"Cache-Control", b"no-store")
 

diff --git a/client-hints/critical-ch/subresource.https.window.js b/client-hints/critical-ch/subresource.https.window.js
@@ -2,9 +2,17 @@
 // META: script=/common/utils.js
 
 promise_test(() =>
-  fetch("resources/echo-critical-hint.py")
+  fetch(ECHO_URL)
       .then((r) => r.text())
       .then((r) => {
         assert_true(r.includes("FAIL"));
       })
 , "Critical-CH subresource fetch");
+
+promise_test(() =>
+  fetch(ECHO_URL+"?multiple=true")
+      .then((r) => r.text())
+      .then((r) => {
+        assert_true(r.includes("FAIL"));
+      })
+, "Critical-CH w/ multiple headers and subresource fetch");
diff --git a/client-hints/critical-ch/unsafe-method.https.window.js b/client-hints/critical-ch/unsafe-method.https.window.js
@@ -21,3 +21,27 @@ async_test((t) => {
 
   form.submit();
 }, "Critical-CH unsafe method")
+
+async_test((t) => {
+  // This test requires a navigation with a non-safe (i.e. non-GET) HTTP
+  // response, which the Critical-CH spec says to ignore. The most
+  // "straight-forward" way to do this in JS is by making a form with an
+  // unsafe method (e.g. POST) method and submit it.
+
+  // Build the form DOM element
+  var form = document.createElement("form");
+  form.setAttribute("method", "post");
+  form.setAttribute("action", "resources/echo-critical-hint.py?multiple=true");
+  form.setAttribute("target", "popup"); //don't navigate away from the page running the test...
+  document.body.appendChild(form);
+
+  var popup_window = window.open("/common/blank.html", "popup");
+  assert_not_equals(popup_window, null, "Popup windows not allowed?");
+
+  popup_window.addEventListener('message', (e) => {
+    t.step(()=>{assert_equals(e.data, "FAIL")});
+    t.done();
+  });
+
+  form.submit();
+}, "Critical-CH w/ multiple headers and unsafe method")