File: SO-XO-SO-redirect-chain-tao.https.html

package info (click to toggle)
firefox 145.0-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 4,653,344 kB
  • sloc: cpp: 7,594,932; javascript: 6,459,612; ansic: 3,752,905; python: 1,403,433; xml: 629,811; asm: 438,677; java: 186,421; sh: 67,287; makefile: 19,169; objc: 13,086; perl: 12,982; yacc: 4,583; cs: 3,846; pascal: 3,448; lex: 1,720; ruby: 1,003; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10
file content (64 lines) | stat: -rw-r--r-- 2,677 bytes parent folder | download | duplicates (26) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8" />
<title>This test validates resource timing information for a same-origin=>cross-origin=>same-origin redirect chain without Timing-Allow-Origin.</title>
<link rel="help" href="https://www.w3.org/TR/resource-timing-2/#sec-cross-origin-resources"/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="resources/resource-loaders.js"></script>
<script src="resources/entry-invariants.js"></script>
</head>
<body>
<script>
const {HTTPS_REMOTE_ORIGIN} = get_host_info();
const SAME_ORIGIN = location.origin;
// Same-Origin => Cross-Origin => Same-Origin => Same-Origin redirect chain
let destUrl = `${SAME_ORIGIN}/resource-timing/resources/multi_redirect.py?`;
destUrl += `page_origin=${SAME_ORIGIN}`;
destUrl += `&cross_origin=${HTTPS_REMOTE_ORIGIN}`;
destUrl += `&final_resource=/resource-timing/resources/blank_page_green.htm`;

// No TAO in the redirect chain
attribute_test(
  load.iframe, destUrl,
  invariants.assert_cross_origin_redirected_resource,
  "Verify that cross origin resources' timings are not exposed when " +
  "same-origin=>cross-origin=>same-origin redirects have no " +
  "`Timing-Allow-Origin:` headers.");

// Partial TAO in the redirect chain
destUrl += '&tao_steps=2';
attribute_test(
  load.iframe, destUrl,
  invariants.assert_cross_origin_redirected_resource,
  "Verify that cross origin resources' timings are not exposed when " +
  "same-origin=>cross-origin=>same-origin redirects have " +
  "`Timing-Allow-Origin:` headers only on some of the responses.");

// Cross-origin => Cross-Origin => Same-Origin => Same-Origin redirect chain.
destUrl = `${HTTPS_REMOTE_ORIGIN}/resource-timing/resources/multi_redirect.py?`;
destUrl += `page_origin=${SAME_ORIGIN}`;
destUrl += `&cross_origin=${HTTPS_REMOTE_ORIGIN}`;
destUrl += `&final_resource=/resource-timing/resources/blue-with-tao.png`;
destUrl += `&tao_steps=3`;

// Full redirect chain with `TAO: *`.
attribute_test(
  load.image, destUrl,
  invariants.assert_tao_enabled_cross_origin_redirected_resource,
  "Verify that cross origin resources' timings are exposed when cross-origin " +
  "redirects have `Timing-Allow-Origin: *` headers");

// TAO with a specific origin
destUrl += `&tao_value=${SAME_ORIGIN}`;
attribute_test(
  load.image, destUrl,
  invariants.assert_cross_origin_redirected_resource,
  "Verify that cross origin resources' timings are not exposed when " +
  "same-origin=>cross-origin=>same-origin redirects have " +
  "`Timing-Allow-Origin:` headers with a specific origin.");
</script>
</body>
</html>