corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0f921b51a93c8111b46568616090396cc21948eb
tubestation/testing/web-platform/tests/client-hints/accept-ch-no-feature-policy-navigation.https.html
Yoav Weiss a34937366e Bug 1638165 [wpt PR 23620] - [ua-ch] Apply FP to UA and UA-Mobile, a=testonly 
Automatic update from web-platform-tests
[ua-ch] Apply FP to UA and UA-Mobile

Currently FeaturePolicy isn't applied to hints that are sent by default:
Sec-CH-UA and Sec-CH-UA-Mobile.
That's wrong, as it doesn't allow sites to e.g. block those headers on
their own origin or on third-party origins.
This CL fixes that.

Bug: 1082252
Change-Id: Ia924b5539fb78fa664d90e7fdc8c7e79f19c657d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2203057
Commit-Queue: Yoav Weiss <yoavweiss@chromium.org>
Reviewed-by: Aaron Tagliaboschi <aarontag@chromium.org>
Cr-Commit-Position: refs/heads/master@{#769088}

--

wpt-commits: f9d12a5f8f0e7b0fbe067f01e6d71fd60bbe285d
wpt-pr: 23620
2020-05-25 14:32:55 +00:00

25 lines
753 B
HTML
Raw Blame History

<html>
<body>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="resources/feature-policy-navigation.js"></script>
<script>
(async () => {
await test_frame(
"HTTPS_REMOTE_ORIGIN",
"device-memory=false&dpr=false&viewport-width=false&sec-ch-ua=true&sec-ch-ua-mobile=true",
"",
"Client hints not loaded on cross-origin iframe request with no feature policy.");
await test_frame(
"HTTPS_ORIGIN",
"device-memory=true&dpr=true&viewport-width=true&sec-ch-ua=true&sec-ch-ua-mobile=true",
"",
"Client hints loaded on same-origin iframe request with no feature policy.");
})();
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink