WPT: CSS: Add cross-origin redirect tests.

This adds tests that stylesheets that result from requests that were redirected cross-origin are considered cross-origin. Note that A->B->A redirects, which redirect from cross-origin to same-origin, are considered cross-origin. See https://github.com/whatwg/fetch/issues/737 and https://github.com/whatwg/fetch/pull/834. In Blink, we have redirect tests at http/tests/security/cannot-read-cssrules-redirect.html. This WPT addition will supersede that test, but I won't yet remove it since it asserts the opposite for the A->B->A case. I can remove the test when Blink changes to pass this WPT test. Bug: 911974 Change-Id: Ie015c0390829299de7c29cff6685ddfcd774c66f Reviewed-on: https://chromium-review.googlesource.com/c/1370162Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#615475}

WPT: CSS: Add cross-origin redirect tests.
This adds tests that stylesheets that result from requests that were redirected cross-origin are considered cross-origin. Note that A->B->A redirects, which redirect from cross-origin to same-origin, are considered cross-origin. See https://github.com/whatwg/fetch/issues/737 and https://github.com/whatwg/fetch/pull/834. In Blink, we have redirect tests at http/tests/security/cannot-read-cssrules-redirect.html. This WPT addition will supersede that test, but I won't yet remove it since it asserts the opposite for the A->B->A case. I can remove the test when Blink changes to pass this WPT test. Bug: 911974 Change-Id: Ie015c0390829299de7c29cff6685ddfcd774c66f Reviewed-on: https://chromium-review.googlesource.com/c/1370162Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#615475}
02d7d52f · Matt Falkenhagen · Commit Bot · 811eb98e · 02d7d52f · 02d7d52f
Commit 02d7d52f authored Dec 11, 2018 by Matt Falkenhagen Committed by Commit Bot Dec 11, 2018
2 changed files
--- a/third_party/blink/web_tests/external/wpt/css/cssom/stylesheet-same-origin.sub-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/css/cssom/stylesheet-same-origin.sub-expected.txt
+This is a testharness.js-based test.
+PASS Origin-clean check in cross-origin CSSOM Stylesheets
+PASS Origin-clean check in cross-origin CSSOM Stylesheets (redirect from same-origin to cross-origin)
+FAIL Origin-clean check in cross-origin CSSOM Stylesheets (redirect from cross-origin to same-origin) assert_throws: stylesheet.cssRules should throw SecurityError. function "function () {
+                    sheet.cssRules;
+                }" did not throw
+PASS Origin-clean check in same-origin CSSOM Stylesheets
+PASS Origin-clean check in data:css CSSOM Stylesheets
+Harness: the test ran to completion.
--- a/third_party/blink/web_tests/external/wpt/css/cssom/stylesheet-same-origin.sub.html
+++ b/third_party/blink/web_tests/external/wpt/css/cssom/stylesheet-same-origin.sub.html
@@ -7,41 +7,61 @@
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
-    <link id="crossorigin" href="http://www1.{{host}}:{{ports[http][1]}}/stylesheet-same-origin.css" rel="stylesheet">
+    <link id="crossorigin" href="http://www1.{{host}}:{{ports[http][1]}}/css/cssom/stylesheet-same-origin.css" rel="stylesheet">
    <link id="sameorigin" href="stylesheet-same-origin.css" rel="stylesheet">
    <link id="sameorigindata" href="data:text/css,.green-text{color:rgb(0, 255, 0)}" rel="stylesheet">
+    <link id="redirect-sameorigin-to-crossorigin"
+          href="/common/redirect.py?location=http://www1.{{host}}:{{ports[http][1]}}/css/cssom/stylesheet-same-origin.css"
+          rel="stylesheet">
+    <link id="redirect-crossorigin-to-sameorigin"
+          href="http://www1.{{host}}:{{ports[http][1]}}/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/css/cssom/stylesheet-same-origin.css"
+          rel="stylesheet">
    <script>
        var crossorigin = document.getElementById("crossorigin").sheet;
+        var redirectSameOriginToCrossOrigin = document.getElementById("redirect-sameorigin-to-crossorigin").sheet;
+        var redirectCrossOriginToSameOrigin = document.getElementById("redirect-crossorigin-to-sameorigin").sheet;
        var sameorigin = document.getElementById("sameorigin").sheet;
        var sameorigindata = document.getElementById("sameorigindata").sheet;
-        test(function() {
+        function doOriginCleanCheck(sheet, name) {
+            assert_equals(sheet.cssRules.length, 1, name + " stylesheet.cssRules should be accessible.");
+            sheet.insertRule("#test { margin: 10px; }", 1);
+            assert_equals(sheet.cssRules.length, 2, name + " stylesheet.insertRule should be accessible.");
+            sheet.deleteRule(0);
+            assert_equals(sheet.cssRules.length, 1, name + " stylesheet.deleteRule should be accessible.");
+        }
+        function doOriginDirtyCheck(sheet) {
            assert_throws("SecurityError",
                function () {
-                    crossorigin.cssRules;
+                    sheet.cssRules;
                },
-                "Cross origin stylesheet.cssRules should throw SecurityError.");
+                'stylesheet.cssRules should throw SecurityError.');
            assert_throws("SecurityError",
                function () {
-                    crossorigin.insertRule("#test { margin: 10px; }", 1);
+                    sheet.insertRule("#test { margin: 10px; }", 1);
                },
-                "Cross origin stylesheet.insertRule should throw SecurityError.");
+                'stylesheet.insertRule should throw SecurityError.');
            assert_throws("SecurityError",
                function () {
-                    crossorigin.deleteRule(0);
+                    sheet.deleteRule(0);
                },
-                "Cross origin stylesheet.deleteRule should throw SecurityError.");
+                'stylesheet.deleteRule should throw SecurityError.');
+        }
+        test(function() {
+            doOriginDirtyCheck(crossorigin);
        }, "Origin-clean check in cross-origin CSSOM Stylesheets");
-        function doOriginCleanCheck(sheet, name) {
+        test(function() {
-            assert_equals(sheet.cssRules.length, 1, name + " stylesheet.cssRules should be accessible.");
+            doOriginDirtyCheck(redirectSameOriginToCrossOrigin);
-            sheet.insertRule("#test { margin: 10px; }", 1);
+        }, "Origin-clean check in cross-origin CSSOM Stylesheets (redirect from same-origin to cross-origin)");
-            assert_equals(sheet.cssRules.length, 2, name + " stylesheet.insertRule should be accessible.");
-            sheet.deleteRule(0);
+        test(function() {
-            assert_equals(sheet.cssRules.length, 1, name + " stylesheet.deleteRule should be accessible.");
+            doOriginDirtyCheck(redirectCrossOriginToSameOrigin);
-        }
+        }, "Origin-clean check in cross-origin CSSOM Stylesheets (redirect from cross-origin to same-origin)");
        test(function() {
            doOriginCleanCheck(sameorigin, "Same-origin");