Test the Origin header

domenic · domenic · commit 8eacbf5ae3a6 · 2021-04-02T18:14:04.000-04:00
diff --git a/fetch/origin/multi-globals.https.sub.html b/fetch/origin/multi-globals.https.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Multi-globals: which one is the initiator?</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<body>
+<script>
+"use strict";
+document.domain = "{{hosts[][]}}";
+
+promise_test(async t => {
+  const iframe = await insertIframe(t);
+
+  // https://github.com/whatwg/html/issues/6514
+  // What gets set as the request's origin? The "incumbent" (this page)
+  // or the page containing the <form> (on the www subdomain)?
+  //
+  // The spec currently fails to pass a source browsing context for form navigation
+  // (https://html.spec.whatwg.org/#plan-to-navigate step 4.2), and the navigate + Fetch spec ultimately
+  // derive the request's origin from the source browsing context. So who knows.
+
+  iframe.contentDocument.querySelector("form").submit();
+
+  const data = await waitForMessage();
+  assert_equals(data, "https://{{hosts[][]}}:{{ports[https][0]}}");
+}, "Using location.href");
+
+function insertIframe(t) {
+  return new Promise((resolve, reject) => {
+    const iframe = document.createElement("iframe");
+    iframe.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/origin/resources/multi-globals-subframe-1.sub.html";
+    iframe.onload = () => resolve(iframe);
+    iframe.onerror = () => reject(new Error("Failed to load iframe"));
+
+    t.add_cleanup(() => iframe.remove());
+
+    document.body.append(iframe);
+  });
+}
+
+function waitForMessage() {
+  return new Promise(resolve => {
+    window.addEventListener("message", e => {
+      resolve(e.data);
+    }, { once: true });
+  });
+}
+</script>
diff --git a/fetch/origin/resources/multi-globals-post-origin-header.py b/fetch/origin/resources/multi-globals-post-origin-header.py
@@ -0,0 +1,23 @@
+import json
+
+from wptserve.utils import isomorphic_decode
+
+def main(request, response):
+    headers = [
+        (b"Content-Type", b"text/html"),
+        (b"Cache-Control", b"no-cache, no-store, must-revalidate")
+    ]
+    origin = request.headers.get(b"Origin", b"")
+
+    body = u"""
+        <!DOCTYPE html>
+        <meta charset="utf-8">
+        <title>Destination</title>
+        <h1>Destination</h1>
+        <script>
+        "use strict";
+        window.top.postMessage("%s", "*");
+        </script>
+        """ % isomorphic_decode(origin)
+
+    return headers, body
diff --git a/fetch/origin/resources/multi-globals-subframe-1.sub.html b/fetch/origin/resources/multi-globals-subframe-1.sub.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Multi-globals test outer subframe</title>
+
+<script>
+"use strict";
+document.domain = "{{hosts[][]}}";
+</script>
+
+<form target="frame" method="POST" action="multi-globals-post-origin-header.py"></form>
+
+<iframe name="frame"></iframe>
