[CORS-RFC1918] Adding WPT tests for fetch in insecure contexts.

Adds tests verifying that fetch takes into account the CORS-RFC1918
restrictions regarding secure contexts.

These tests are ran with the CORS-RFC1918 flag as a virtual suite
because the flag currently breaks other non related tests due to
inheritance rules not being implemented.

Bug: 1138907
Change-Id: I0b5241c0ed13b4b6247310f19fdd0889351ee54b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2517593
Commit-Queue: Arthur Hemery <ahemery@chromium.org>
Reviewed-by: Titouan Rigoudy <titouan@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#833313}

third_party/blink/web_tests/VirtualTestSuites

@@ -316,8 +316,11 @@
   },
   {
     "prefix": "cors-rfc1918",
-    "bases": ["http/tests/security/cors-rfc1918"],
-    "args": ["--enable-blink-features=CorsRFC1918"]
+    "bases": ["http/tests/security/cors-rfc1918",
+              "external/wpt/cors-rfc1918",
+              "external/wpt/fetch/cors-rfc1918"],
+    "args": ["--enable-blink-features=CorsRFC1918",
+             "--enable-features=BlockInsecurePrivateNetworkRequests"]
   },
   {
     "prefix": "single-renderer-process",

third_party/blink/web_tests/external/wpt/fetch/cors-rfc1918/non-secure-context.window-expected.txt

+This is a testharness.js-based test.
+PASS Local non secure page fetches local page.
+FAIL Public non secure page fetches local page. assert_equals: expected "failure" but got "success"
+Harness: the test ran to completion.
+

third_party/blink/web_tests/external/wpt/fetch/cors-rfc1918/non-secure-context.window.js

+// META: script=resources/support.js
+//
+// Spec: https://wicg.github.io/cors-rfc1918/#integration-fetch
+//
+// This file covers only those tests that must execute in a non secure context.
+// Other tests are defined in: secure-context.window.js
+
+setup(() => {
+  // Making sure we are in a non secure context, as expected.
+  assert_false(window.isSecureContext);
+});
+
+promise_test(async t => {
+  return fetch("/common/blank.html")
+      .catch(reason => {unreached_func(reason)});
+}, "Local non secure page fetches local page.");
+
+// For the following tests, we go through an iframe, because it is not possible
+// to directly import the test harness from a secured public page.
+promise_test(async t => {
+  let iframe = await appendIframe(t, document,
+      "resources/treat-as-public-address.html");
+  let reply = futureMessage();
+  iframe.contentWindow.postMessage("/common/blank.html", "*");
+  assert_equals(await reply, "failure");
+}, "Public non secure page fetches local page.");
+
+// TODO(https://github.com/web-platform-tests/wpt/issues/26166):
+// Add tests for public variations when we are able to fetch resources using a
+// mechanism compatible with WPT guidelines regarding being self-contained.
+

third_party/blink/web_tests/external/wpt/fetch/cors-rfc1918/resources/support.js

+// Creates a new iframe in |doc|, calls |func| on it and appends it as a child
+// of |doc|.
+// Returns a promise that resolves to the iframe once loaded (successfully or
+// not).
+// The iframe is removed from |doc| once test |t| is done running.
+//
+// NOTE: Because iframe elements always invoke the onload event handler, even
+// in case of error, we cannot wire onerror to a promise rejection. The Promise
+// constructor requires users to resolve XOR reject the promise.
+function appendIframeWith(t, doc, func) {
+  return new Promise(resolve => {
+      const child = doc.createElement("iframe");
+      func(child);
+      child.onload = () => { resolve(child); };
+      doc.body.appendChild(child);
+      t.add_cleanup(() => { doc.body.removeChild(child); });
+    });
+}
+
+// Appends a child iframe to |doc| sourced from |src|.
+//
+// See append_child_frame_with() for more details.
+function appendIframe(t, doc, src) {
+  return appendIframeWith(t, doc, child => { child.src = src; });
+}
+
+// Register an event listener that will resolve this promise when this
+// window receives a message posted to it.
+function futureMessage() {
+  return new Promise(resolve => {
+      window.addEventListener("message", e => resolve(e.data));
+  });
+};
+

third_party/blink/web_tests/external/wpt/fetch/cors-rfc1918/resources/treat-as-public-address.html

+<script>
+  window.addEventListener("message", function (event) {
+    fetch(event.data)
+        .then(response => {parent.postMessage("success", "*")})
+        .catch(error => {parent.postMessage("failure", "*")});
+  });
+</script>
+

third_party/blink/web_tests/external/wpt/fetch/cors-rfc1918/resources/treat-as-public-address.html.headers

+Content-Security-Policy: treat-as-public-address;

third_party/blink/web_tests/external/wpt/fetch/cors-rfc1918/resources/treat-as-public-address.https.html

+<script>
+  window.addEventListener("message", function (event) {
+    fetch(event.data)
+        .then(response => {parent.postMessage("success", "*")})
+        .catch(error => {parent.postMessage("failure", "*")});
+  });
+</script>
+

third_party/blink/web_tests/external/wpt/fetch/cors-rfc1918/resources/treat-as-public-address.https.html.headers

+Content-Security-Policy: treat-as-public-address;

third_party/blink/web_tests/external/wpt/fetch/cors-rfc1918/secure-context.https.window.js

+// META: script=resources/support.js
+//
+// Spec: https://wicg.github.io/cors-rfc1918/#integration-fetch
+//
+// This file covers only those tests that must execute in a secure context.
+// Other tests are defined in: non-secure-context.window.js
+
+setup(() => {
+  // Making sure we are in a secure context, as expected.
+  assert_true(window.isSecureContext);
+});
+
+promise_test(async t => {
+  return fetch("/common/blank.html")
+      .catch(reason => {unreached_func(reason)});
+}, "Local secure page fetches local page.");
+
+// For the following tests, we go through an iframe, because it is not possible
+// to directly import the test harness from a secured public page.
+promise_test(async t => {
+  let iframe = await appendIframe(t, document,
+      "resources/treat-as-public-address.https.html");
+  let reply = futureMessage();
+  iframe.contentWindow.postMessage("/common/blank.html", "*");
+  assert_equals(await reply, "success");
+}, "Public secure page fetches local page.");
+
+// TODO(https://github.com/web-platform-tests/wpt/issues/26166):
+// Add tests for public variations when we are able to fetch resources using a
+// mechanism compatible with WPT guidelines regarding being self-contained.
+

third_party/blink/web_tests/virtual/cors-rfc1918/README.md

+This directory is for testing the CORS-RFC1918 implementation.
+

third_party/blink/web_tests/virtual/cors-rfc1918/external/wpt/cors-rfc1918/README.md

+This directory is for testing the CORS-RFC1918 implementation.

third_party/blink/web_tests/virtual/cors-rfc1918/external/wpt/fetch/cors-rfc1918/non-secure-context.window-expected.txt

+This is a testharness.js-based test.
+PASS Local non secure page fetches local page.
+PASS Public non secure page fetches local page.
+Harness: the test ran to completion.
+

third_party/blink/web_tests/virtual/cors-rfc1918/http/tests/security/cors-rfc1918/README.txt

-This directory is for testing the Blink-side CORS-RFC1918 implementation.