diff --git a/client-hints/critical-ch/iframe.https.window.js b/client-hints/critical-ch/iframe.https.window.js index f4dd295208fd4a..bbb9623752ea59 100644 --- a/client-hints/critical-ch/iframe.https.window.js +++ b/client-hints/critical-ch/iframe.https.window.js @@ -6,3 +6,10 @@ async_test((t) => { document.body.appendChild(iframe); iframe.contentWindow.addEventListener('message', message_listener(t, "FAIL")); }, "Critical-CH iframe"); + +async_test((t) => { + var iframe = document.createElement("iframe"); + iframe.src = ECHO_URL+"?multiple=true"; + document.body.appendChild(iframe); + iframe.contentWindow.addEventListener('message', message_listener(t, "FAIL")); +}, "Critical-CH w/ multiple headers and iframe"); diff --git a/client-hints/critical-ch/mis-matched-count.https.window.js b/client-hints/critical-ch/mis-matched-count.https.window.js index 54bd66789793ba..23d297837e6ce6 100644 --- a/client-hints/critical-ch/mis-matched-count.https.window.js +++ b/client-hints/critical-ch/mis-matched-count.https.window.js @@ -2,3 +2,4 @@ // META: script=/common/utils.js async_test(make_message_test(ECHO_URL+"?mismatch=true&token="+token(), "1"), "Critical-CH no restart on mismatched hints") +async_test(make_message_test(ECHO_URL+"?multiple=true&mismatch=true&token="+token(), "1"), "Critical-CH w/ multiple headers and no restart on mismatched hints") diff --git a/client-hints/critical-ch/mis-matched.https.window.js b/client-hints/critical-ch/mis-matched.https.window.js index 9476640b3513d3..10f9a30b6d2571 100644 --- a/client-hints/critical-ch/mis-matched.https.window.js +++ b/client-hints/critical-ch/mis-matched.https.window.js @@ -1,3 +1,4 @@ // META: script=resources/util.js async_test(make_message_test(ECHO_URL+"?mismatch=true", "FAIL"), "Critical-CH Mis-matched hints") +async_test(make_message_test(ECHO_URL+"?multiple=true&mismatch=true", "FAIL"), "Critical-CH w/ multiple headers and Mis-matched hints") diff --git a/client-hints/critical-ch/non-secure.http.window.js b/client-hints/critical-ch/non-secure.http.window.js index cdd79243982a46..b634f98e55c941 100644 --- a/client-hints/critical-ch/non-secure.http.window.js +++ b/client-hints/critical-ch/non-secure.http.window.js @@ -1,3 +1,4 @@ // META: script=resources/util.js async_test(make_message_test(ECHO_URL, "FAIL"), "Critical-CH navigation non-secure") +async_test(make_message_test(ECHO_URL+"?multiple=true", "FAIL"), "Critical-CH w/ multiple headers and navigation non-secure") diff --git a/client-hints/critical-ch/resources/echo-critical-hint.py b/client-hints/critical-ch/resources/echo-critical-hint.py index e4e77ad2a9a3bc..0913dbb19db57c 100644 --- a/client-hints/critical-ch/resources/echo-critical-hint.py +++ b/client-hints/critical-ch/resources/echo-critical-hint.py @@ -11,13 +11,22 @@ def main(request, response): response.headers.append(b"Access-Control-Allow-Headers", b"*") response.headers.append(b"Access-Control-Expose-Headers", b"*") - response.headers.append(b"Accept-CH", b"sec-ch-device-memory,device-memory") + accept = b"sec-ch-device-memory,device-memory" + if(request.GET.first(b"multiple", None) is not None): + for accept_part in accept.split(b","): + response.headers.append(b"Accept-CH", accept_part) + else: + response.headers.append(b"Accept-CH", accept) critical = b"sec-ch-device-memory,device-memory" if(request.GET.first(b"mismatch", None) is not None): critical = b"sec-ch-viewport-width,viewport-width" - response.headers.append(b"Critical-CH", critical) + if(request.GET.first(b"multiple", None) is not None): + for critical_part in critical.split(b","): + response.headers.append(b"Critical-CH", critical_part) + else: + response.headers.append(b"Critical-CH", critical) response.headers.append(b"Cache-Control", b"no-store") diff --git a/client-hints/critical-ch/subresource.https.window.js b/client-hints/critical-ch/subresource.https.window.js index f8112b628d0f26..81dfc303c62e03 100644 --- a/client-hints/critical-ch/subresource.https.window.js +++ b/client-hints/critical-ch/subresource.https.window.js @@ -2,9 +2,17 @@ // META: script=/common/utils.js promise_test(() => - fetch("resources/echo-critical-hint.py") + fetch(ECHO_URL) .then((r) => r.text()) .then((r) => { assert_true(r.includes("FAIL")); }) , "Critical-CH subresource fetch"); + +promise_test(() => + fetch(ECHO_URL+"?multiple=true") + .then((r) => r.text()) + .then((r) => { + assert_true(r.includes("FAIL")); + }) +, "Critical-CH w/ multiple headers and subresource fetch"); diff --git a/client-hints/critical-ch/unsafe-method.https.window.js b/client-hints/critical-ch/unsafe-method.https.window.js index 0eca0eb8e9aea1..37bbcb3315e1b1 100644 --- a/client-hints/critical-ch/unsafe-method.https.window.js +++ b/client-hints/critical-ch/unsafe-method.https.window.js @@ -21,3 +21,27 @@ async_test((t) => { form.submit(); }, "Critical-CH unsafe method") + +async_test((t) => { + // This test requires a navigation with a non-safe (i.e. non-GET) HTTP + // response, which the Critical-CH spec says to ignore. The most + // "straight-forward" way to do this in JS is by making a form with an + // unsafe method (e.g. POST) method and submit it. + + // Build the form DOM element + var form = document.createElement("form"); + form.setAttribute("method", "post"); + form.setAttribute("action", "resources/echo-critical-hint.py?multiple=true"); + form.setAttribute("target", "popup"); //don't navigate away from the page running the test... + document.body.appendChild(form); + + var popup_window = window.open("/common/blank.html", "popup"); + assert_not_equals(popup_window, null, "Popup windows not allowed?"); + + popup_window.addEventListener('message', (e) => { + t.step(()=>{assert_equals(e.data, "FAIL")}); + t.done(); + }); + + form.submit(); +}, "Critical-CH w/ multiple headers and unsafe method")