testing/web-platform/tests/fetch/local-network-access/fenced-frame.tentative.https.window.js

   1 // META: script=/common/dispatcher/dispatcher.js
   2 // META: script=/common/utils.js
   3 // META: script=resources/support.sub.js
   4 // META: script=/fenced-frame/resources/utils.js
   5 //
   6 // Spec: https://wicg.github.io/private-network-access/#integration-fetch
   7 //
   8 // These tests verify that contexts can navigate fenced frames to less-public
   9 // address spaces iff the target server responds affirmatively to preflight
  10 // requests.
  11
  12 setup(() => {
  13   assert_true(window.isSecureContext);
  14 });
  15
  16 // Source: secure local context.
  17 //
  18 // All fetches unaffected by Private Network Access.
  19
  20 promise_test_parallel(
  21     t => fencedFrameTest(t, {
  22       source: {server: Server.HTTPS_LOCAL},
  23       target: {server: Server.HTTPS_LOCAL},
  24       expected: FrameTestResult.SUCCESS,
  25     }),
  26     'local to local: no preflight required.');
  27
  28 promise_test_parallel(
  29     t => fencedFrameTest(t, {
  30       source: {server: Server.HTTPS_LOCAL},
  31       target: {server: Server.HTTPS_PRIVATE},
  32       expected: FrameTestResult.SUCCESS,
  33     }),
  34     'local to private: no preflight required.');
  35
  36 promise_test_parallel(
  37     t => fencedFrameTest(t, {
  38       source: {server: Server.HTTPS_LOCAL},
  39       target: {server: Server.HTTPS_PUBLIC},
  40       expected: FrameTestResult.SUCCESS,
  41     }),
  42     'local to public: no preflight required.');
  43
  44 // Generates tests of preflight behavior for a single (source, target) pair.
  45 //
  46 // Scenarios:
  47 //
  48 // - parent navigates child:
  49 //   - preflight response has non-2xx HTTP code
  50 //   - preflight response is missing CORS headers
  51 //   - preflight response is missing the PNA-specific `Access-Control` header
  52 //   - preflight response has the required PNA related headers, but still fails
  53 //     because of the limitation of fenced frame that subjects to PNA checks.
  54 //
  55 function makePreflightTests({
  56   sourceName,
  57   sourceServer,
  58   sourceTreatAsPublic,
  59   targetName,
  60   targetServer,
  61 }) {
  62   const prefix = `${sourceName} to ${targetName}: `;
  63
  64   const source = {
  65     server: sourceServer,
  66     treatAsPublic: sourceTreatAsPublic,
  67   };
  68
  69   promise_test_parallel(
  70       t => fencedFrameTest(t, {
  71         source,
  72         target: {
  73           server: targetServer,
  74           behavior: {preflight: PreflightBehavior.failure()},
  75         },
  76         expected: FrameTestResult.FAILURE,
  77       }),
  78       prefix + 'failed preflight.');
  79
  80   promise_test_parallel(
  81       t => fencedFrameTest(t, {
  82         source,
  83         target: {
  84           server: targetServer,
  85           behavior: {preflight: PreflightBehavior.noCorsHeader(token())},
  86         },
  87         expected: FrameTestResult.FAILURE,
  88       }),
  89       prefix + 'missing CORS headers.');
  90
  91   promise_test_parallel(
  92       t => fencedFrameTest(t, {
  93         source,
  94         target: {
  95           server: targetServer,
  96           behavior: {preflight: PreflightBehavior.noPnaHeader(token())},
  97         },
  98         expected: FrameTestResult.FAILURE,
  99       }),
 100       prefix + 'missing PNA header.');
 101
 102   promise_test_parallel(
 103       t => fencedFrameTest(t, {
 104         source,
 105         target: {
 106           server: targetServer,
 107           behavior: {
 108             preflight: PreflightBehavior.success(token()),
 109             response: ResponseBehavior.allowCrossOrigin()
 110           },
 111         },
 112         expected: FrameTestResult.FAILURE,
 113       }),
 114       prefix + 'failed because fenced frames are incompatible with PNA.');
 115 }
 116
 117 // Source: private secure context.
 118 //
 119 // Fetches to the local address space require a successful preflight response
 120 // carrying a PNA-specific header.
 121
 122 makePreflightTests({
 123   sourceServer: Server.HTTPS_PRIVATE,
 124   sourceName: 'private',
 125   targetServer: Server.HTTPS_LOCAL,
 126   targetName: 'local',
 127 });
 128
 129 promise_test_parallel(
 130     t => fencedFrameTest(t, {
 131       source: {server: Server.HTTPS_PRIVATE},
 132       target: {server: Server.HTTPS_PRIVATE},
 133       expected: FrameTestResult.SUCCESS,
 134     }),
 135     'private to private: no preflight required.');
 136
 137 promise_test_parallel(
 138     t => fencedFrameTest(t, {
 139       source: {server: Server.HTTPS_PRIVATE},
 140       target: {server: Server.HTTPS_PUBLIC},
 141       expected: FrameTestResult.SUCCESS,
 142     }),
 143     'private to public: no preflight required.');
 144
 145 // Source: public secure context.
 146 //
 147 // Fetches to the local and private address spaces require a successful
 148 // preflight response carrying a PNA-specific header.
 149
 150 makePreflightTests({
 151   sourceServer: Server.HTTPS_PUBLIC,
 152   sourceName: 'public',
 153   targetServer: Server.HTTPS_LOCAL,
 154   targetName: 'local',
 155 });
 156
 157 makePreflightTests({
 158   sourceServer: Server.HTTPS_PUBLIC,
 159   sourceName: 'public',
 160   targetServer: Server.HTTPS_PRIVATE,
 161   targetName: 'private',
 162 });
 163
 164 promise_test_parallel(
 165     t => fencedFrameTest(t, {
 166       source: {server: Server.HTTPS_PUBLIC},
 167       target: {server: Server.HTTPS_PUBLIC},
 168       expected: FrameTestResult.SUCCESS,
 169     }),
 170     'public to public: no preflight required.');
 171
 172 // The following tests verify that `CSP: treat-as-public-address` makes
 173 // documents behave as if they had been served from a public IP address.
 174
 175 makePreflightTests({
 176   sourceServer: Server.HTTPS_LOCAL,
 177   sourceTreatAsPublic: true,
 178   sourceName: 'treat-as-public-address',
 179   targetServer: Server.OTHER_HTTPS_LOCAL,
 180   targetName: 'local',
 181 });
 182
 183 promise_test_parallel(
 184     t => fencedFrameTest(t, {
 185       source: {
 186         server: Server.HTTPS_LOCAL,
 187         treatAsPublic: true,
 188       },
 189       target: {server: Server.HTTPS_LOCAL},
 190       expected: FrameTestResult.FAILURE,
 191     }),
 192     'treat-as-public-address to local (same-origin): fenced frame embedder ' +
 193     'initiated navigation has opaque origin.');
 194
 195 makePreflightTests({
 196   sourceServer: Server.HTTPS_LOCAL,
 197   sourceTreatAsPublic: true,
 198   sourceName: 'treat-as-public-address',
 199   targetServer: Server.HTTPS_PRIVATE,
 200   targetName: 'private',
 201 });
 202
 203 promise_test_parallel(
 204     t => fencedFrameTest(t, {
 205       source: {
 206         server: Server.HTTPS_LOCAL,
 207         treatAsPublic: true,
 208       },
 209       target: {server: Server.HTTPS_PUBLIC},
 210       expected: FrameTestResult.SUCCESS,
 211     }),
 212     'treat-as-public-address to public: no preflight required.');
 213
 214 promise_test_parallel(
 215     t => fencedFrameTest(t, {
 216       source: {
 217         server: Server.HTTPS_LOCAL,
 218         treatAsPublic: true,
 219       },
 220       target: {
 221         server: Server.HTTPS_PUBLIC,
 222         behavior: {preflight: PreflightBehavior.optionalSuccess(token())}
 223       },
 224       expected: FrameTestResult.SUCCESS,
 225     }),
 226     'treat-as-public-address to local: optional preflight');