1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
<!DOCTYPE html>
<html>
<head>
<title>Modulepreload Referrer Policy Tests</title>
<meta name="author" title="Google" href="https://www.google.com/">
<link rel="help" href="https://html.spec.whatwg.org/multipage/links.html#link-type-modulepreload">
<link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/">
<meta name="assert" content="link rel=modulepreload respects the referrerpolicy attribute">
<!--
This test verifies that modulepreload correctly handles various referrer policies
for same-origin requests. It tests all standard referrer policy values:
- no-referrer
- origin
- same-origin
- strict-origin
- strict-origin-when-cross-origin
- unsafe-url
Each policy is tested by creating a modulepreload link dynamically with the
specific policy and verifying the referrer header that was sent.
-->
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
// Initialize the window.referrers object that will be used by echo-referrer.py
window.referrers = {};
</script>
</head>
<body>
<script>
// Helper function to create a unique ID for each test
function generateUniqueId() {
return Date.now() + Math.floor(Math.random() * 1000);
}
// Helper function to create a modulepreload element with a given referrer policy
function createModulePreload(url, referrerPolicy = null) {
const link = document.createElement('link');
link.rel = 'modulepreload';
link.href = url;
if (referrerPolicy !== null) {
link.referrerPolicy = referrerPolicy;
}
return link;
}
// Helper function to wait for preload completion
function waitForPreload(link) {
return new Promise((resolve, reject) => {
link.onload = resolve;
link.onerror = () => reject(new Error("Modulepreload failed to load"));
});
}
// Test default referrer policy behavior
promise_test(async t => {
const uid = generateUniqueId();
const url = `/preload/resources/echo-referrer.py?uid=${uid}`;
// First import to establish baseline
await import(url);
// Create modulepreload
const link = createModulePreload(url);
const preloadComplete = waitForPreload(link);
document.head.appendChild(link);
await preloadComplete;
// Import again to ensure the module is loaded
await import(url);
// Check if referrer was sent
assert_equals(window.referrers[uid], location.href, "Modulepreload should use default referrer policy");
}, "Modulepreload should use default referrer policy");
// Test explicit no-referrer policy
promise_test(async t => {
const uid = generateUniqueId();
const url = `/preload/resources/echo-referrer.py?uid=${uid}`;
// Create modulepreload with no-referrer policy
const link = createModulePreload(url, 'no-referrer');
const preloadComplete = waitForPreload(link);
document.head.appendChild(link);
await preloadComplete;
// Import again to ensure the module is loaded
await import(url);
// Check if referrer was NOT sent
assert_equals(window.referrers[uid], "", "Modulepreload with no-referrer policy should not send referrer");
}, "Modulepreload with no-referrer policy should not send referrer");
// Test origin referrer policy
promise_test(async t => {
const uid = generateUniqueId();
const url = `/preload/resources/echo-referrer.py?uid=${uid}`;
// Create modulepreload with origin policy
const link = createModulePreload(url, 'origin');
const preloadComplete = waitForPreload(link);
document.head.appendChild(link);
await preloadComplete;
// Import again to ensure the module is loaded
await import(url);
// Check if origin-only referrer was sent
assert_equals(window.referrers[uid], location.origin + "/", "Modulepreload with origin policy should send origin-only referrer");
}, "Modulepreload with origin policy should send origin-only referrer");
// Test same-origin referrer policy
promise_test(async t => {
const uid = generateUniqueId();
const url = `/preload/resources/echo-referrer.py?uid=${uid}`;
// Create modulepreload with same-origin policy
const link = createModulePreload(url, 'same-origin');
const preloadComplete = waitForPreload(link);
document.head.appendChild(link);
await preloadComplete;
// Import again to ensure the module is loaded
await import(url);
// Check if full referrer was sent (for same-origin requests)
assert_equals(window.referrers[uid], location.href, "Modulepreload with same-origin policy should send full referrer for same-origin requests");
}, "Modulepreload with same-origin policy should send full referrer for same-origin requests");
// Test strict-origin referrer policy
promise_test(async t => {
const uid = generateUniqueId();
const url = `/preload/resources/echo-referrer.py?uid=${uid}`;
// Create modulepreload with strict-origin policy
const link = createModulePreload(url, 'strict-origin');
const preloadComplete = waitForPreload(link);
document.head.appendChild(link);
await preloadComplete;
// Import again to ensure the module is loaded
await import(url);
// Check if origin-only referrer was sent
assert_equals(window.referrers[uid], location.origin + "/", "Modulepreload with strict-origin policy should send origin-only referrer");
}, "Modulepreload with strict-origin policy should send origin-only referrer");
// Test strict-origin-when-cross-origin referrer policy
promise_test(async t => {
const uid = generateUniqueId();
const url = `/preload/resources/echo-referrer.py?uid=${uid}`;
// Create modulepreload with strict-origin-when-cross-origin policy
const link = createModulePreload(url, 'strict-origin-when-cross-origin');
const preloadComplete = waitForPreload(link);
document.head.appendChild(link);
await preloadComplete;
// Import again to ensure the module is loaded
await import(url);
// For same-origin requests, full URL should be sent
assert_equals(window.referrers[uid], location.href, "Modulepreload with strict-origin-when-cross-origin policy should send full referrer for same-origin requests");
}, "Modulepreload with strict-origin-when-cross-origin policy should send full referrer for same-origin requests");
// Test unsafe-url referrer policy
promise_test(async t => {
const uid = generateUniqueId();
const url = `/preload/resources/echo-referrer.py?uid=${uid}`;
// Create modulepreload with unsafe-url policy
const link = createModulePreload(url, 'unsafe-url');
const preloadComplete = waitForPreload(link);
document.head.appendChild(link);
await preloadComplete;
// Import again to ensure the module is loaded
await import(url);
// Check if full referrer was sent
assert_equals(window.referrers[uid], location.href, "Modulepreload with unsafe-url policy should send full referrer");
}, "Modulepreload with unsafe-url policy should send full referrer");
</script>
</body>
</html>
|
