Add WPT about how CORS behaves in WebBundle subresource loading

It would be better to clarify an expected behavior how CORS behaves for
WebBundle subresource loading in the current implementation.

Note that
- The expected behavior is a tentative decision, which might
  change in the future. The spec side issue is
  https://github.com/WICG/webpackage/issues/609.
- A |crossorigin| attribute is not supported yet.

BUG=1149816

Change-Id: Ic104ec039a07f864b6a60452ff42f2ec09a03c2c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2617167Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org>
Commit-Queue: Hayato Ito <hayato@chromium.org>
Cr-Commit-Position: refs/heads/master@{#842863}

third_party/blink/web_tests/external/wpt/lint.ignore

@@ -708,6 +708,7 @@ WEB-PLATFORM.TEST:signed-exchange/appcache/resources/*.sxg
 WEB-PLATFORM.TEST:signed-exchange/resources/generate-test-sxgs.sh
 
 # Web Bundle files have hard-coded URLs
+WEB-PLATFORM.TEST:web-bundle/resources/*.har
 WEB-PLATFORM.TEST:web-bundle/resources/generate-test-wbns.sh
 WEB-PLATFORM.TEST:web-bundle/resources/nested/*.wbn
 WEB-PLATFORM.TEST:web-bundle/resources/wbn/*.wbn

third_party/blink/web_tests/external/wpt/web-bundle/resources/cross-origin.har

+{
+  "log": {
+    "entries": [
+      {
+        "request": {
+          "method": "GET",
+          "url": "https://web-platform.test:8444/web-bundle/resources/wbn/cors/resource.cors.json",
+          "headers": []
+        },
+        "response": {
+          "status": 200,
+          "headers": [
+            {
+              "name": "Content-type",
+              "value": "application/json"
+            },
+            {
+              "name": "Access-Control-Allow-Origin",
+              "value": "*"
+            }
+          ],
+          "content": {
+            "text": "{ cors: 1 }"
+          }
+        }
+      },
+      {
+        "request": {
+          "method": "GET",
+          "url": "https://web-platform.test:8444/web-bundle/resources/wbn/cors/resource.no-cors.json",
+          "headers": []
+        },
+        "response": {
+          "status": 200,
+          "headers": [
+            {
+              "name": "Content-type",
+              "value": "application/json"
+            }
+          ],
+          "content": {
+            "text": "{ no_cors: 1}"
+          }
+        }
+      }
+    ]
+  }
+}

third_party/blink/web_tests/external/wpt/web-bundle/resources/generate-test-wbns.sh

@@ -70,3 +70,9 @@ gen-bundle \
   -har urn-uuid.har \
   -primaryURL urn:uuid:020111b3-437a-4c5c-ae07-adb6bbffb720 \
   -o wbn/urn-uuid.wbn
+
+gen-bundle \
+  -version b1 \
+  -har cross-origin.har \
+  -primaryURL $wpt_test_https_origin/web-bundle/resources/wbn/cors/resource.json \
+  -o wbn/cors/cross-origin.wbn

third_party/blink/web_tests/external/wpt/web-bundle/resources/wbn/cors/__dir__.headers

+Content-Type: application/webbundle
+Access-Control-Allow-Origin: *

third_party/blink/web_tests/external/wpt/web-bundle/subresource-loading/subresource-loading-cross-origin.tentative.html

+<!DOCTYPE html>
+<title>Cross-origin WebBundle subresource loading</title>
+<link
+  rel="help"
+  href="https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md"
+/>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+  <!--
+       This wpt should run on an origin which is different than https://web-platform.test:8444/,
+       from where cross-orign WebBundles are served.
+
+       This test uses the two cross-origin WebBundles:
+
+       1. https://web-platform.test:8444/web-bundle/resources/wbn/cors/cross-origin.wbn,
+          which is served with an Access-Control-Allow-Origin response header.
+       2. http://web-platform.test:8444/web-bundle/resources/wbn/subreource.wbn,
+          which is served *without* an Access-Control-Allow-Origin response header.
+
+      `cross-origin.wbn` includes two subresources:
+       a. `resource.cors.json`, which includes an Access-Control-Allow-Origin response header.
+       b. `resource.no-cors.json`, which doesn't include an Access-Control-Allow-Origin response header.
+  -->
+  <link
+    rel="webbundle"
+    href="https://web-platform.test:8444/web-bundle/resources/wbn/cors/cross-origin.wbn"
+    resources="https://web-platform.test:8444/web-bundle/resources/wbn/cors/resource.cors.json
+         https://web-platform.test:8444/web-bundle/resources/wbn/cors/resource.no-cors.json"
+  />
+  <script>
+    promise_test(async () => {
+      const response = await fetch(
+        "https://web-platform.test:8444/web-bundle/resources/wbn/cors/resource.cors.json"
+      );
+      assert_true(response.ok);
+    }, "A subresource which includes an Access-Control-Allow-Origin response header can be fetched");
+
+    promise_test(async (t) => {
+      return promise_rejects_js(
+        t,
+        TypeError,
+        fetch(
+          "https://web-platform.test:8444/web-bundle/resources/wbn/cors/resource.no-cors.json"
+        )
+      );
+    }, "A subresource which does not include an Access-Control-Allow-Origin response header can not be fetched");
+
+    promise_test(async () => {
+      return addLinkAndWaitForError(
+        "http://web-platform.test:8444/web-bundle/resources/wbn/subreource.wbn"
+      );
+    }, "A cross-origin WebBundle which does not include an Access-Control-Allow-Origin response header should fire an error event on load");
+
+    function addLinkAndWaitForError(url) {
+      return new Promise((resolve, reject) => {
+        const link = document.createElement("link");
+        link.rel = "webbundle";
+        link.href = url;
+        link.onload = reject;
+        link.onerror = () => resolve(link);
+        document.body.appendChild(link);
+      });
+    }
+  </script>
+</body>