[Critical-CH] Add check for unsafe HTTP methods

According to the Client Hint Reliability ietf draft https://tools.ietf.org/html/draft-davidben-http-client-hint-reliability#section-3 > If the request did not use a safe method (Section 4.2.1 of [RFC7231]), ignore the Critical-CH header and continue processing the response as usual. Also added a WPT to make sure. Bug: 1127313 Change-Id: I82682077dfa51a4aa7204a973c192379cd6588c7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2508711 Commit-Queue: Aaron Tagliaboschi <[email protected]> Reviewed-by: Matt Menke <[email protected]> Reviewed-by: Maksim Orlovich <[email protected]> Reviewed-by: Yoav Weiss <[email protected]> Cr-Commit-Position: refs/heads/master@{#824434}
web-platform-tests · Nov 5, 2020 · 49ea137 · 49ea137
1 parent b6abb52
commit 49ea137
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/client-hints/critical-ch/unsafe-method.https.window.js b/client-hints/critical-ch/unsafe-method.https.window.js
@@ -0,0 +1,23 @@
+async_test((t) => {
+  // This test requires a navigation with a non-safe (i.e. non-GET) HTTP
+  // response, which the Critical-CH spec says to ignore. The most
+  // "straight-forward" way to do this in JS is by making a form with an
+  // unsafe method (e.g. POST) method and submit it.
+
+  // Build the form DOM element
+  var form = document.createElement("form");
+  form.setAttribute("method", "post");
+  form.setAttribute("action", "resources/echo-critical-hint.py");
+  form.setAttribute("target", "popup"); //don't navigate away from the page running the test...
+  document.body.appendChild(form);
+
+  var popup_window = window.open("/common/blank.html", "popup");
+  assert_not_equals(popup_window, null, "Popup windows not allowed?");
+
+  popup_window.addEventListener('message', (e) => {
+    t.step(()=>{assert_equals(e.data, "FAIL")});
+    t.done();
+  });
+
+  form.submit();
+}, "Critical-CH unsafe method")