Add a test to check "Sec-Fetch-Dest: webbundle" header is present

A request for a bundle should have a "Sec-Fetch-Dest: webbundle" request header with the <link>-based API. This CL adds a test to make sure that the current implementation is correctly sending the header. The PR for the explainer is WICG/webpackage#626. BUG=1149816, 1168449 Change-Id: I2bc85be77d45044e9362dd5b998a92743e93eaa5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2706327 Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Commit-Queue: Hayato Ito <hayato@chromium.org> Cr-Commit-Position: refs/heads/master@{#856164}
blueboxd · Feb 22, 2021 · b855816 · b855816
1 parent df22d1f
commit b855816
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 0 deletions.
diff --git a/..._tests/external/wpt/web-bundle/resources/check-sec-fetch-dest-header-and-return-bundle.py b/..._tests/external/wpt/web-bundle/resources/check-sec-fetch-dest-header-and-return-bundle.py
@@ -0,0 +1,21 @@
+import os
+
+
+def main(request, response):
+    origin = request.headers.get(b"origin")
+    if origin is not None:
+        response.headers.set(b"Access-Control-Allow-Origin", origin)
+
+    headers = [
+        (b"Content-Type", b"application/webbundle"),
+        (b"X-Content-Type-Options", b"nosniff"),
+    ]
+
+    if request.headers.get(b"sec-fetch-dest", None) == b"webbundle":
+        with open(
+            os.path.join(os.path.dirname(__file__), "./wbn/subresource.wbn"),
+            "rb",
+        ) as f:
+            return (200, headers, f.read())
+    else:
+        return (400, [], "")
diff --git a/...ndle/subresource-loading/subresource-loading-request-destination.https.tentative.sub.html b/...ndle/subresource-loading/subresource-loading-request-destination.https.tentative.sub.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<title>Request's destination must be "webbundle" with the link-based API</title>
+<link
+  rel="help"
+  href="https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md"
+/>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/test-helpers.js"></script>
+<body>
+  <script>
+    // check-sec-fetch-dest-header-and-return-bundle.py returns a valid format
+    // bundle only if a "Sec-Fetch-Dest: webbundle" header is present in a request.
+    // Otherwise, returns an empty body with 400 status code.
+    //
+    // In this wpt, we assume that a <link> element fires a load event correctly if
+    // a valid format webbundle is returned.
+
+    const same_origin_bundle =
+      "../resources/check-sec-fetch-dest-header-and-return-bundle.py";
+    const cross_origin_bundle =
+      "https://{{domains[www1]}}:{{ports[https][0]}}/web-bundle/resources/check-sec-fetch-dest-header-and-return-bundle.py";
+
+    promise_test(async () => {
+      for (const bundle of [same_origin_bundle, cross_origin_bundle]) {
+        const link = document.createElement("link");
+        link.rel = "webbundle";
+        link.href = bundle;
+        await addElementAndWaitForLoad(link);
+        link.remove();
+      }
+    }, '"Sec-Fetch-Dest: webbundle" header must be present in a request for a bundle with the <link>-based API.');
+
+    promise_test(async () => {
+      const res = await fetch(same_origin_bundle);
+      assert_false(res.ok);
+    }, '"Sec-Fetch-Dest: webbundle" header must not be present in a fetch request for a same-origin resource.');
+
+    promise_test(async () => {
+      const res = await fetch(cross_origin_bundle);
+      assert_false(res.ok);
+    }, '"Sec-Fetch-Dest: webbundle" header must not be present in a fetch request for a cross-origin resource.');
+  </script>
+</body>