Bug 1456723 [wpt PR 10626] - Process, but do not enforce X-Frame-Options on redirects., a=testonly

Automatic update from web-platform-testsProcess, but do not enforce X-Frame-Options on redirects. In order to make a reasonable decision about the reasonable-sounding feature request in https://crbug.com/835465, this patch starts processing XFO headers on redirect responses in order to collect metrics about how many requests we'd impact by tightening our enforcement. Bug: 835465 Change-Id: Ieb4571aae10e31fb61f1ccc245da5eb5dab791ae Reviewed-on: https://chromium-review.googlesource.com/1023393 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#553520} -- wpt-commits: 6d7173c4c7f024e537de9257a1b4727368b88006 wpt-pr: 10626
2024-10-24 18:55:30 +00:00 · 2018-05-01 14:35:23 +00:00 · 2018-05-01 14:35:23 +00:00 · 54400b1a60
commit 54400b1a60
parent e73cdff3ee
3 changed files with 42 additions and 0 deletions
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@ -300810,6 +300810,11 @@
     {}
    ]
   ],
+   "x-frame-options/support/redirect.py": [
+    [
+     {}
+    ]
+   ],
   "x-frame-options/support/xfo.py": [
    [
     {}
@ -375117,6 +375122,12 @@
     {}
    ]
   ],
+   "x-frame-options/redirect.sub.html": [
+    [
+     "/x-frame-options/redirect.sub.html",
+     {}
+    ]
+   ],
   "x-frame-options/sameorigin.sub.html": [
    [
     "/x-frame-options/sameorigin.sub.html",
@ -616382,6 +616393,10 @@
   "5c266799477994fe820a244fd6b5b6e7822748a0",
   "testharness"
  ],
+  "x-frame-options/redirect.sub.html": [
+   "df0a1d522288313f4e63e6700a840f9d70622679",
+   "testharness"
+  ],
  "x-frame-options/sameorigin.sub.html": [
   "93498833866f7f7084c08cc22aec78a31ef1721b",
   "testharness"
@ -616394,6 +616409,10 @@
   "8cfd9ef877a813898ea2f5741ffc56ae1c6f95dc",
   "support"
  ],
+  "x-frame-options/support/redirect.py": [
+   "195bea24439940535974f3e7f6cd000e7285c8ea",
+   "support"
+  ],
  "x-frame-options/support/xfo.py": [
   "722b135e1633e63fbfcb06bca4759a9568a84ee8",
   "support"
--- a/testing/web-platform/tests/x-frame-options/redirect.sub.html
+++ b/testing/web-platform/tests/x-frame-options/redirect.sub.html
@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/helper.js"></script>
+<body>
+<script>
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "./support/redirect.py?value=DENY&url=/x-frame-options/support/xfo.py%3Fvalue%3DALLOWALL";
+
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
+
+    document.body.appendChild(i);
+  }, "XFO on redirect responses is ignored.");
+</script>
--- a/testing/web-platform/tests/x-frame-options/support/redirect.py
+++ b/testing/web-platform/tests/x-frame-options/support/redirect.py
@ -0,0 +1,4 @@
+def main(request, response):
+    response.status = 302
+    response.headers.set("X-Frame-Options", request.GET.first("value"))
+    response.headers.set("Location", request.GET.first("url"))