beacon-cors.https.window.js

Enable keyboard shortcuts

This WPT test may be referenced by the following Test IDs:
- /beacon/beacon-cors.https.window.html - WPT Dashboard Interop Dashboard

// META: timeout=long

// META: script=/common/get-host-info.sub.js

// META: script=/common/utils.js

// META: script=beacon-common.sub.js

'use strict';

const {HTTPS_ORIGIN, ORIGIN, HTTPS_REMOTE_ORIGIN} = get_host_info();

// As /common/redirect.py is not under our control, let's make sure that

// it doesn't support CORS.

parallelPromiseTest(async (t) => {

  const destination = `${HTTPS_REMOTE_ORIGIN}/common/text-plain.txt` +

      `?pipe=header(access-control-allow-origin,*)`;

  const redirect = `${HTTPS_REMOTE_ORIGIN}/common/redirect.py` +

      `?location=${encodeURIComponent(destination)}`;

  // Fetching `destination` is fine because it supports CORS.

  await fetch(destination);

  // Fetching redirect.py should fail because it doesn't support CORS.

  await promise_rejects_js(t, TypeError, fetch(redirect));

}, '/common/redirect.py does not support CORS');

for (const type of [STRING, ARRAYBUFFER, FORM, BLOB]) {

  parallelPromiseTest(async (t) => {

    const iframe = document.createElement('iframe');

    document.body.appendChild(iframe);

    t.add_cleanup(() => iframe.remove());

    const payload = makePayload(SMALL, type);

    const id = token();

    // As we use "no-cors" for CORS-safelisted requests, the redirect is

    // processed without an error while the request is cross-origin and the

    // redirect handler doesn't support CORS.

    const destination =

        `${HTTPS_REMOTE_ORIGIN}/beacon/resources/beacon.py?cmd=store&id=${id}`;

    const url = `${HTTPS_REMOTE_ORIGIN}/common/redirect.py` +

        `?status=307&location=${encodeURIComponent(destination)}`;

    assert_true(iframe.contentWindow.navigator.sendBeacon(url, payload));

    iframe.remove();

    await waitForResult(id);

  }, `cross-origin, CORS-safelisted: type = ${type}`);

parallelPromiseTest(async (t) => {

  const iframe = document.createElement('iframe');

  document.body.appendChild(iframe);

  t.add_cleanup(() => iframe.remove());

  const payload = makePayload(SMALL, BLOB, 'application/octet-stream');

  const id = token();

  const destination =

      `${HTTPS_REMOTE_ORIGIN}/beacon/resources/beacon.py?cmd=store&id=${id}`;

  const url = `${HTTPS_REMOTE_ORIGIN}/common/redirect.py` +

      `?status=307&location=${encodeURIComponent(destination)}`;

  assert_true(iframe.contentWindow.navigator.sendBeacon(url, payload));

  iframe.remove();

  // The beacon is rejected during redirect handling because /common/redirect.py

  // doesn't support CORS.

  await new Promise((resolve) => step_timeout(resolve, 3000));

  const res = await fetch(`/beacon/resources/beacon.py?cmd=stat&id=${id}`);

  assert_equals((await res.json()).length, 0);

}, `cross-origin, non-CORS-safelisted: failure case (with redirect)`);

parallelPromiseTest(async (t) => {

  const iframe = document.createElement('iframe');

  document.body.appendChild(iframe);

  t.add_cleanup(() => iframe.remove());

  const payload = makePayload(SMALL, BLOB, 'application/octet-stream');

  const id = token();

  const url =

      `${HTTPS_REMOTE_ORIGIN}/beacon/resources/beacon.py?cmd=store&id=${id}`;

  assert_true(iframe.contentWindow.navigator.sendBeacon(url, payload));

  iframe.remove();

  // The beacon is rejected during preflight handling.

  await waitForResult(id, /*expectedError=*/ 'Preflight not expected.');

}, `cross-origin, non-CORS-safelisted: failure case (without redirect)`);

for (const credentials of [false, true]) {

  parallelPromiseTest(async (t) => {

    const iframe = document.createElement('iframe');

    document.body.appendChild(iframe);

    t.add_cleanup(() => iframe.remove());

    const payload = makePayload(SMALL, BLOB, 'application/octet-stream');

    const id = token();

    let url = `${HTTPS_REMOTE_ORIGIN}/beacon/resources/beacon.py` +

        `?cmd=store&id=${id}&preflightExpected&origin=${ORIGIN}`;

    if (credentials) {

      url += `&credentials=true`;

    assert_true(iframe.contentWindow.navigator.sendBeacon(url, payload));

    iframe.remove();

    // We need access-control-allow-credentials in the preflight response. This

    // shows that the request's credentials mode is 'include'.

    if (credentials) {

      const result = await waitForResult(id);

      assert_equals(result.type, 'application/octet-stream');

    } else {

      await new Promise((resolve) => step_timeout(resolve, 3000));

      const res = await fetch(`/beacon/resources/beacon.py?cmd=stat&id=${id}`);

      assert_equals((await res.json()).length, 0);

  }, `cross-origin, non-CORS-safelisted[credentials=${credentials}]`);

parallelPromiseTest(async (t) => {

  const iframe = document.createElement('iframe');

  document.body.appendChild(iframe);

  t.add_cleanup(() => iframe.remove());

  const payload = makePayload(SMALL, BLOB, 'application/octet-stream');

  const id = token();

  const destination = `${HTTPS_REMOTE_ORIGIN}/beacon/resources/beacon.py` +

      `?cmd=store&id=${id}&preflightExpected&origin=${ORIGIN}&credentials=true`;

  const url = `${HTTPS_REMOTE_ORIGIN}/fetch/api/resources/redirect.py` +

      `?redirect_status=307&allow_headers=content-type` +

      `&location=${encodeURIComponent(destination)}`;

  assert_true(iframe.contentWindow.navigator.sendBeacon(url, payload));

  iframe.remove();

  const result = await waitForResult(id);

  assert_equals(result.type, 'application/octet-stream');

}, `cross-origin, non-CORS-safelisted success-case (with redirect)`);