1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
<!DOCTYPE html>
<html>
<head>
<title>Modulepreload Inline Referrer Policy Tests</title>
<meta name="author" title="Google" href="https://www.google.com/">
<link rel="help" href="https://html.spec.whatwg.org/multipage/links.html#link-type-modulepreload">
<link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/">
<meta name="assert" content="link rel=modulepreload respects the referrerpolicy attribute on inline elements">
<!--
This test verifies that inline modulepreload elements (statically declared in HTML)
correctly handle referrer policies. It tests:
1. Default behavior (no referrerpolicy attribute) - should use origin or full URL depending on implementation
2. origin referrerpolicy - should use only origin
3. no-referrer referrerpolicy - should not send referrer
4. Document-level referrer policy (via meta tag) - should be respected
Unlike the other modulepreload referrer tests that create elements dynamically,
this test uses inline link elements in the HTML.
-->
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
// Initialize the window.referrers object that will be used by echo-referrer.py
window.referrers = {};
// Create unique IDs for each test
const noReferrerPolicyId = Date.now();
const originPolicyId = Date.now() + 1;
const noReferrerId = Date.now() + 2;
const originId = Date.now() + 3;
</script>
<!-- Test with no referrerpolicy attribute (should use document default) -->
<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=NOPOLICY_ID">
<!-- Test with origin referrerpolicy attribute -->
<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=ORIGIN_ID" referrerpolicy="origin">
<!-- Test with no-referrer referrerpolicy attribute -->
<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=NOREFERRER_ID" referrerpolicy="no-referrer">
<!-- For document policy test, add meta tag for origin referrer policy -->
<meta name="referrer" content="origin">
<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=DOC_POLICY_ID">
<script>
// Replace placeholder IDs with actual IDs in the HTML
document.documentElement.innerHTML = document.documentElement.innerHTML
.replace('NOPOLICY_ID', noReferrerPolicyId)
.replace('ORIGIN_ID', originPolicyId)
.replace('NOREFERRER_ID', noReferrerId)
.replace('DOC_POLICY_ID', originId);
</script>
</head>
<body>
<script>
// Ensure modules are loaded by importing them
promise_test(async t => {
await Promise.all([
import(`/preload/resources/echo-referrer.py?uid=${noReferrerPolicyId}`),
import(`/preload/resources/echo-referrer.py?uid=${originPolicyId}`),
import(`/preload/resources/echo-referrer.py?uid=${noReferrerId}`),
import(`/preload/resources/echo-referrer.py?uid=${originId}`)
]);
// Test that module with no specified referrerpolicy
// Note: Some implementations may send only origin for inline modulepreload requests
const expectedDefault = location.origin + "/";
assert_equals(window.referrers[noReferrerPolicyId], expectedDefault,
"Modulepreload with no referrerpolicy should use expected referrer");
// Test that module with origin referrerpolicy sends only origin
assert_equals(window.referrers[originPolicyId], location.origin + "/",
"Modulepreload with origin referrerpolicy should send origin only");
// Test that module with no-referrer policy sends no referrer
assert_equals(window.referrers[noReferrerId], "",
"Modulepreload with no-referrer referrerpolicy should not send referrer");
// Test that module with no policy but document policy uses document policy
assert_equals(window.referrers[originId], location.origin + "/",
"Modulepreload with no referrerpolicy should use document's policy");
}, "Inline modulepreload elements should respect the referrerpolicy attribute");
</script>
</body>
</html>
|
