[WPT] Fix/add credentials mode tests for dynamic import()

This CL fixes html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html and html/semantics/scripting-1/the-script-element/module/credentials.sub.html by: - Using `set-cookie.py` instead of `document.cookie = 'same=1';`, and - Passing `origin` parameter instead of relying on Origin request header, as Firefox doesn't send Origin header in same-origin requests. This CL also adds credentials mode tests for dynamic imports from classic scripts and setTimeout(with a string argument). Bug: 1133238, 1114988 Change-Id: I18dce474f46e79c7d4161461760f0739806a1984 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2437556Reviewed-by: Dominic Farolino <dom@chromium.org> Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Cr-Commit-Position: refs/heads/master@{#821704}

[WPT] Fix/add credentials mode tests for dynamic import()
This CL fixes html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html and html/semantics/scripting-1/the-script-element/module/credentials.sub.html by: - Using `set-cookie.py` instead of `document.cookie = 'same=1';`, and - Passing `origin` parameter instead of relying on Origin request header, as Firefox doesn't send Origin header in same-origin requests. This CL also adds credentials mode tests for dynamic imports from classic scripts and setTimeout(with a string argument). Bug: 1133238, 1114988 Change-Id: I18dce474f46e79c7d4161461760f0739806a1984 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2437556Reviewed-by: Dominic Farolino <dom@chromium.org> Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Cr-Commit-Position: refs/heads/master@{#821704}
7dee01a6 · Hiroshige Hayashizaki · Commit Bot · 3201204f · 7dee01a6 · 7dee01a6
Commit 7dee01a6 authored Oct 28, 2020 by Hiroshige Hayashizaki Committed by Commit Bot Oct 28, 2020
9 changed files
--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials-setTimeout.sub-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials-setTimeout.sub-expected.txt
+This is a testharness.js-based test.
+PASS Same-origin dynamic import from setTimeout(string) from classic script (crossOrigin not specified)
+PASS Cross-origin dynamic import from setTimeout(string) from classic script (crossOrigin not specified)
+PASS Same-origin dynamic import from setTimeout(string) from classic script (crossOrigin=anonymous)
+PASS Cross-origin dynamic import from setTimeout(string) from classic script (crossOrigin=anonymous)
+PASS Same-origin dynamic import from setTimeout(string) from classic script (crossOrigin=use-credentials)
+FAIL Cross-origin dynamic import from setTimeout(string) from classic script (crossOrigin=use-credentials) assert_equals: cookie expected "found" but got "not found"
+PASS Same-origin dynamic import from setTimeout(string) from module script (crossOrigin not specified)
+PASS Cross-origin dynamic import from setTimeout(string) from module script (crossOrigin not specified)
+PASS Same-origin dynamic import from setTimeout(string) from module script (crossOrigin=anonymous)
+PASS Cross-origin dynamic import from setTimeout(string) from module script (crossOrigin=anonymous)
+PASS Same-origin dynamic import from setTimeout(string) from module script (crossOrigin=use-credentials)
+FAIL Cross-origin dynamic import from setTimeout(string) from module script (crossOrigin=use-credentials) assert_equals: cookie expected "found" but got "not found"
+Harness: the test ran to completion.
--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials-setTimeout.sub.html
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials-setTimeout.sub.html
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/dynamic-import-credentials-helper.sub.js"></script>
+<script type="text/javascript">
+runTestsFromIframe('../resources/dynamic-import-credentials-setTimeout-iframe.sub.html');
+</script>
+<body>
+</body>
--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub-expected.txt
-This is a testharness.js-based test.
-FAIL Dynamic imports should be loaded with or without the credentials based on the same-origin-ness and the parent script's crossOrigin attribute assert_equals: Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is not specified and the target is same-origin expected "found" but got "not found"
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html
@@ -2,57 +2,10 @@
 <meta charset="utf-8">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="/common/get-host-info.sub.js"></script>
+<script src="../resources/dynamic-import-credentials-helper.sub.js"></script>
 <script type="text/javascript">
-host_info = get_host_info();
+runTestsFromIframe('../resources/dynamic-import-credentials-iframe.sub.html');
-document.cookie = 'same=1';
-const setCookiePromise = fetch(
-    'http://{{domains[www2]}}:{{ports[http][0]}}/cookies/resources/set-cookie.py?name=cross&path=/html/semantics/scripting-1/the-script-element/module/',
-    {
-      mode: 'no-cors',
-      credentials: 'include',
-    });
-const windowLoadPromise = new Promise(resolve => {
-  window.addEventListener('load', () => {
-    resolve();
-  });
-});
-promise_test(t => {
-  const iframe = document.createElement('iframe');
-  return Promise.all([setCookiePromise, windowLoadPromise]).then(() => {
-    const messagePromise = new Promise(resolve => {
-      window.addEventListener('message', event => {
-        resolve();
-      });
-    });
-    iframe.src = '../resources/dynamic-import-credentials-iframe.sub.html';
-    document.body.appendChild(iframe);
-    return messagePromise;
-  }).then(() => {
-    const w = iframe.contentWindow;
-    assert_equals(w.sameOriginNoneDynamicDescendant, 'found',
-                  'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is not specified and the target is same-origin');
-    assert_equals(w.sameOriginAnonymousDynamicDescendant, 'found',
-                  'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
-    assert_equals(w.sameOriginUseCredentialsDynamicDescendant, 'found',
-                  'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
-    assert_equals(w.crossOriginNoneDynamicDescendant, 'not found',
-                  'Dynamic descendant modules should not be loaded with the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
-    assert_equals(w.crossOriginAnonymousDynamicDescendant, 'not found',
-                  'Dynamic descendant modules should not be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
-    assert_equals(w.crossOriginUseCredentialsDynamicDescendant, 'found',
-                  'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');
-});
-}, 'Dynamic imports should be loaded with or without the credentials based on the same-origin-ness and the parent script\'s crossOrigin attribute');
 </script>
 <body>
 </body>
--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py
 def main(request, response):
    headers = [
        (b"Content-Type", b"text/javascript"),
-        (b"Access-Control-Allow-Origin", request.headers.get(b"Origin")),
+        (b"Access-Control-Allow-Origin", request.GET.first(b"origin")),
        (b"Access-Control-Allow-Credentials", b"true")
    ]
    identifier = request.GET.first(b"id")

--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/credentials-iframe.sub.html
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/credentials-iframe.sub.html
@@ -2,45 +2,45 @@
 <meta charset="utf-8">
 <script type="module"
-        src="check-cookie.py?id=sameOriginNone&cookieName=same">
+        src="check-cookie.py?id=sameOriginNone&cookieName=same&origin=http://{{host}}:{{ports[http][0]}}">
 </script>
 <script type="module"
-        src="check-cookie.py?id=sameOriginAnonymous&cookieName=same"
+        src="check-cookie.py?id=sameOriginAnonymous&cookieName=same&origin=http://{{host}}:{{ports[http][0]}}"
        crossOrigin="anonymous">
 </script>
 <script type="module"
-        src="check-cookie.py?id=sameOriginUseCredentials&cookieName=same"
+        src="check-cookie.py?id=sameOriginUseCredentials&cookieName=same&origin=http://{{host}}:{{ports[http][0]}}"
        crossOrigin="use-credentials">
 </script>
 <script type="module"
-        src="http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNone&cookieName=cross">
+        src="http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNone&cookieName=cross&origin=http://{{host}}:{{ports[http][0]}}">
 </script>
 <script type="module"
-        src="http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymous&cookieName=cross"
+        src="http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymous&cookieName=cross&origin=http://{{host}}:{{ports[http][0]}}"
        crossOrigin="anonymous">
 </script>
 <script type="module"
-        src="http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentials&cookieName=cross"
+        src="http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentials&cookieName=cross&origin=http://{{host}}:{{ports[http][0]}}"
        crossOrigin="use-credentials">
 </script>
 <script type="module">
-import "./check-cookie.py?id=sameOriginNoneDescendant&cookieName=same";
+import "./check-cookie.py?id=sameOriginNoneDescendant&cookieName=same&origin=http://{{host}}:{{ports[http][0]}}";
 </script>
 <script type="module" crossOrigin="anonymous">
-import "./check-cookie.py?id=sameOriginAnonymousDescendant&cookieName=same";
+import "./check-cookie.py?id=sameOriginAnonymousDescendant&cookieName=same&origin=http://{{host}}:{{ports[http][0]}}";
 </script>
 <script type="module" crossOrigin="use-credentials">
-import "./check-cookie.py?id=sameOriginUseCredentialsDescendant&cookieName=same";
+import "./check-cookie.py?id=sameOriginUseCredentialsDescendant&cookieName=same&origin=http://{{host}}:{{ports[http][0]}}";
 </script>
 <script type="module">
-import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDescendant&cookieName=cross";
+import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDescendant&cookieName=cross&origin=http://{{host}}:{{ports[http][0]}}";
 </script>
 <script type="module" crossOrigin="anonymous">
-import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDescendant&cookieName=cross";
+import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDescendant&cookieName=cross&origin=http://{{host}}:{{ports[http][0]}}";
 </script>
 <script type="module" crossOrigin="use-credentials">
-import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDescendant&cookieName=cross";
+import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDescendant&cookieName=cross&origin=http://{{host}}:{{ports[http][0]}}";
 </script>
 <script type="text/javascript">

--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-helper.sub.js
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-helper.sub.js
+// runTestsFromIframe() is used in the top-level HTML to set cookies and then
+// start actual tests in iframe.
+function runTestsFromIframe(iframe_url) {
+  const setSameOriginCookiePromise = fetch(
+    '/cookies/resources/set-cookie.py?name=same&path=/html/semantics/scripting-1/the-script-element/module/',
+    {
+      mode: 'no-cors',
+      credentials: 'include',
+    });
+  const setCrossOriginCookiePromise = fetch(
+    'http://{{domains[www2]}}:{{ports[http][0]}}/cookies/resources/set-cookie.py?name=cross&path=/html/semantics/scripting-1/the-script-element/module/',
+    {
+      mode: 'no-cors',
+      credentials: 'include',
+    });
+  const windowLoadPromise = new Promise(resolve => {
+    window.addEventListener('load', () => {
+      resolve();
+    });
+  });
+  const iframe = document.createElement('iframe');
+  Promise.all([setSameOriginCookiePromise,
+               setCrossOriginCookiePromise,
+               windowLoadPromise]).then(() => {
+    iframe.src = iframe_url;
+    document.body.appendChild(iframe);
+    fetch_tests_from_window(iframe.contentWindow);
+  });
+}
+// The functions below are used from tests within the iframe.
+let testNumber = 0;
+// importFunc and setTimeoutFunc is used to make the active script at the time
+// of import() to be the script elements that call `runTest()`,
+// NOT this script defining runTest().
+function runTest(importFunc, origin, expected, source) {
+  let url;
+  let description;
+  if (origin === 'same') {
+    url = "./check-cookie.py";
+    description = "Same-origin dynamic import from " + source;
+  } else {
+    url = "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py";
+    description = "Cross-origin dynamic import from " + source;
+  }
+  promise_test(() => {
+    const id = "test" + testNumber;
+    testNumber += 1;
+    return importFunc(url + "?id=" + id + "&cookieName=" + origin + "&origin=" + location.origin)
+      .then(() => {
+          assert_equals(window[id], expected, "cookie");
+        });
+  }, description);
+}
+function setTimeoutWrapper(setTimeoutFunc) {
+  return url => {
+    return new Promise(resolve => {
+      window.resolve = resolve;
+      setTimeoutFunc(`import("${url}").then(window.resolve)`);
+    });
+  };
+}
--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-iframe.sub.html
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-iframe.sub.html
 <!DOCTYPE html>
-<script type="module">
+<script src="/resources/testharness.js"></script>
-import("./check-cookie.py?id=sameOriginNoneDynamicDescendant&cookieName=same");
+<script src="dynamic-import-credentials-helper.sub.js"></script>
+<!--
+The active script at the time of import() is the script elements below, and
+thus the credentials mode of the fetch options of the script elements below
+are used for dynamic import requests.
+-->
+<script>
+runTest(url => import(url),
+  "same", "found", "classic script (crossOrigin not specified)");
+runTest(url => import(url),
+  "cross", "not found", "classic script (crossOrigin not specified)");
 </script>
-<script type="module" crossOrigin="anonymous">
-import("./check-cookie.py?id=sameOriginAnonymousDynamicDescendant&cookieName=same");
+<script crossOrigin="anonymous">
+runTest(url => import(url), "same", "found",
+  "classic script (crossOrigin=anonymous)");
+runTest(url => import(url), "cross", "not found",
+  "classic script (crossOrigin=anonymous)");
 </script>
-<script type="module" crossOrigin="use-credentials">
-import("./check-cookie.py?id=sameOriginUseCredentialsDynamicDescendant&cookieName=same");
+<script crossOrigin="use-credentials">
+runTest(url => import(url),
+  "same", "found", "classic script (crossOrigin=use-credentials)");
+runTest(url => import(url),
+  "cross", "found", "classic script (crossOrigin=use-credentials)");
 </script>
 <script type="module">
-import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDynamicDescendant&cookieName=cross");
+runTest(url => import(url),
+  "same", "found", "module script (crossOrigin not specified)");
+runTest(url => import(url),
+  "cross", "not found", "module script (crossOrigin not specified)");
 </script>
 <script type="module" crossOrigin="anonymous">
-import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDynamicDescendant&cookieName=cross");
+runTest(url => import(url), "same", "found",
-</script>
+  "module script (crossOrigin=anonymous)");
-<script type="module" crossOrigin="use-credentials">
+runTest(url => import(url), "cross", "not found",
-import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDynamicDescendant&cookieName=cross");
+  "module script (crossOrigin=anonymous)");
 </script>
+<script type="module" crossOrigin="use-credentials">
-<script type="text/javascript">
+runTest(url => import(url),
-window.addEventListener('load', event => {
+  "same", "found", "module script (crossOrigin=use-credentials)");
-  window.parent.postMessage({}, '*');
+runTest(url => import(url),
-});
+  "cross", "found", "module script (crossOrigin=use-credentials)");
 </script>
--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-setTimeout-iframe.sub.html
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-setTimeout-iframe.sub.html
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="dynamic-import-credentials-helper.sub.js"></script>
+<!--
+The active script at the time of import() is the classic script created by
+https://html.spec.whatwg.org/multipage/C/#timer-initialisation-steps
+and the active script at the time of setTimeout() is the script elements below,
+thus the credentials mode of the fetch options of the script elements below
+are used for dynamic import requests.
+setTimeout() calls below can't be wrapped (e.g. by step_timeout())
+because wrapping setTimeout() would set active scripts differently.
+-->
+<script>
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "same", "found", "setTimeout(string) from classic script (crossOrigin not specified)");
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "cross", "not found", "setTimeout(string) from classic script (crossOrigin not specified)");
+</script>
+<script crossOrigin="anonymous">
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "same", "found", "setTimeout(string) from classic script (crossOrigin=anonymous)");
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "cross", "not found", "setTimeout(string) from classic script (crossOrigin=anonymous)");
+</script>
+<script crossOrigin="use-credentials">
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "same", "found", "setTimeout(string) from classic script (crossOrigin=use-credentials)");
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "cross", "found", "setTimeout(string) from classic script (crossOrigin=use-credentials)");
+</script>
+<script type="module">
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "same", "found", "setTimeout(string) from module script (crossOrigin not specified)");
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "cross", "not found", "setTimeout(string) from module script (crossOrigin not specified)");
+</script>
+<script type="module" crossOrigin="anonymous">
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "same", "found", "setTimeout(string) from module script (crossOrigin=anonymous)");
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "cross", "not found", "setTimeout(string) from module script (crossOrigin=anonymous)");
+</script>
+<script type="module" crossOrigin="use-credentials">
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "same", "found", "setTimeout(string) from module script (crossOrigin=use-credentials)");
+runTest(setTimeoutWrapper(x => setTimeout(x, 0)),
+  "cross", "found", "setTimeout(string) from module script (crossOrigin=use-credentials)");
+</script>