Bug 1795658 [wpt PR 36491] - [beacon-api] Allow only HTTPS targets an…

…d make API secure-context only, a=testonly

Automatic update from web-platform-tests
[beacon-api] Allow only HTTPS targets and make API secure-context only

According to the [discussion][1], this CL makes the API only available
in [secure context][2], and blocks all non-HTTPS request URLs in the
PendingBeacon API:

1. The API throws `TypeError` when url provided to the following APIs
   are not HTTPs. Note that relative URLs or URLs without schema still
   work:
   A. ctor: `PendingGetBeacon(url)` & `PendingPostBeacon(url)`
   B. `PendingGetBeacon.setURL(url)`
2. The entire `PendingBeacon` API becomes only available in
   SecureContext, i.e. on an HTTPS page.

[1]: WICG/pending-beacon#27
[2]: https://w3c.github.io/webappsec-secure-contexts/

Bug: 1293679
Change-Id: I20b2ece0fe490decea80ead6f4740b65c9a36845
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3955986
Reviewed-by: Rakina Zata Amni <[email protected]>
Reviewed-by: Daniel Cheng <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1063911}

--

wpt-commits: 97cd7633f583bff5b856f816eba1de189c7c3903
wpt-pr: 36491

testing/web-platform/tests/pending-beacon/pending_beacon-basic.tentative.window.js → testing/web-platform/tests/pending-beacon/pending_beacon-basic.tentative.https.window.js

@@ -9,7 +9,18 @@ test(() => {
 for (const beaconType of BeaconTypes) {
   test(() => {
     assert_throws_js(TypeError, () => new beaconType.type());
-  }, `${beaconType.name}: constructor throws TypeError if url is missing`);
+  }, `${beaconType.name}: constructor throws TypeError if URL is missing.`);
+
+  test(() => {
+    assert_throws_js(
+        TypeError, () => new beaconType.type('http://www.google.com'));
+    assert_throws_js(TypeError, () => new beaconType.type('file://tmp'));
+    assert_throws_js(TypeError, () => new beaconType.type('ssh://example.com'));
+    assert_throws_js(TypeError, () => new beaconType.type('wss://example.com'));
+    assert_throws_js(TypeError, () => new beaconType.type('about:blank'));
+    assert_throws_js(
+        TypeError, () => new beaconType.type(`javascript:alert('');`));
+  }, `${beaconType.name}: constructor throws TypeError on non-HTTPS URL.`);
 
   test(() => {
     const beacon = new beaconType.type('/');
@@ -53,3 +64,14 @@ for (const beaconType of BeaconTypes) {
       `${beaconType.name}: throws TypeError when mutating ` +
           `'url', 'method', 'pending'.`);
 }
+
+test(() => {
+  let beacon = new PendingGetBeacon('/');
+
+  assert_throws_js(TypeError, () => beacon.setURL('http://www.google.com'));
+  assert_throws_js(TypeError, () => beacon.setURL('file://tmp'));
+  assert_throws_js(TypeError, () => beacon.setURL('ssh://example.com'));
+  assert_throws_js(TypeError, () => beacon.setURL('wss://example.com'));
+  assert_throws_js(TypeError, () => beacon.setURL('about:blank'));
+  assert_throws_js(TypeError, () => beacon.setURL(`javascript:alert('');`));
+}, `PendingGetBeacon: setURL() throws TypeError on non-HTTPS URL.`);

testing/web-platform/tests/pending-beacon/pending_beacon-basic.window.js

@@ -0,0 +1,12 @@
+// META: script=/resources/testharness.js
+// META: script=/resources/testharnessreport.js
+
+'use strict';
+
+test(() => {
+  assert_false(window.hasOwnProperty('PendingGetBeacon'));
+}, `PendingGetBeacon is not supported in non-secure context.`);
+
+test(() => {
+  assert_false(window.hasOwnProperty('PendingPostBeacon'));
+}, `PendingPostBeacon is not supported in non-secure context.`);