Bug 1660433 [wpt PR 25176] - Subresource WebBundles: Same-origin rest…

…riction, a=testonly

Automatic update from web-platform-tests
Subresource WebBundles: Same-origin restriction

This patch restricts subresource loading from WebBundles only to
same-origin resources, i.e. origin of subresource URL must be
same-origin with the origin of the enclosing WebBundle's URL.

Bug: 1120252
Change-Id: Ic999c4582385560f22a1251c37bd3572f0ffd2bb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2368618
Reviewed-by: Tsuyoshi Horo <horo@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Hayato Ito <hayato@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#800907}

--

wpt-commits: aa022e797e89bbc1c2f607970efaf3313bbcf386
wpt-pr: 25176

testing/web-platform/tests/web-bundle/resources/dynamic/__dir__.headers

@@ -0,0 +1 @@
+Access-Control-Allow-Origin: *

testing/web-platform/tests/web-bundle/resources/generate-test-wbns.sh

@@ -22,8 +22,8 @@ gen-bundle \
 
 gen-bundle \
   -version b1 \
-  -baseURL https://subresource-wbn.example/ \
-  -primaryURL https://subresource-wbn.example/root.js \
+  -baseURL $wpt_test_http_origin/ \
+  -primaryURL $wpt_test_http_origin/root.js \
   -dir subresource/ \
   -o wbn/subresource.wbn
 
@@ -40,3 +40,10 @@ gen-bundle \
   -primaryURL $wpt_test_http_origin/web-bundle/resources/dynamic/resource1.js \
   -dir dynamic2/ \
   -o wbn/dynamic2.wbn
+
+gen-bundle \
+  -version b1 \
+  -baseURL $wpt_test_https_origin/web-bundle/resources/dynamic/ \
+  -primaryURL $wpt_test_https_origin/web-bundle/resources/dynamic/resource1.js \
+  -dir dynamic1/ \
+  -o wbn/dynamic1-crossorigin.wbn

testing/web-platform/tests/web-bundle/subresource-loading/subresource-loading-from-web-bundle.tentative.html

@@ -8,10 +8,10 @@
 <script src="/resources/testharnessreport.js"></script>
 <body>
   <link id="link-web-bundle" rel="webbundle" href="../resources/wbn/subresource.wbn"
-        resources="https://subresource-wbn.example/root.js https://subresource-wbn.example/submodule.js" />
+        resources="http://web-platform.test:8001/root.js http://web-platform.test:8001/submodule.js" />
   <script>
     promise_test(async () => {
-      const module = await import('https://subresource-wbn.example/root.js');
+      const module = await import('http://web-platform.test:8001/root.js');
       assert_equals(module.result, 'OK');
     }, "Subresource loading with WebBundle");
 
@@ -48,9 +48,19 @@
       return addLinkAndWaitForError("../resources/wbn/nonexistent.wbn");
     }, '<link rel="webbundle"> fires an error event on load failure');
 
+    promise_test(async () => {
+      const link = document.createElement('link');
+      link.rel = 'webbundle';
+      link.href = '../resources/wbn/dynamic1-crossorigin.wbn';
+      link.resources = 'https://web-platform.test:8444/web-bundle/resources/dynamic/resource1.js';
+      document.body.appendChild(link);
+      const module = await import(link.resources);
+      assert_equals(module.result, 'resource1 from network');
+    }, 'Subresource URL must be same-origin with bundle URL');
+
     promise_test(async () => {
       const wbn_url = 'http://web-platform.test:8001/web-bundle/resources/wbn/subresource.wbn?test-resources-update';
-      const resource_url = 'https://subresource-wbn.example/submodule.js';
+      const resource_url = 'http://web-platform.test:8001/submodule.js';
       const link = await addLinkAndWaitForLoad(wbn_url);
       link.resources.add(resource_url);
       const resp = await fetch(resource_url, {cache: 'no-store'});