1{ 2 "test_description_template": "Referrer Policy: Expects %(expectation)s for %(subresource)s to %(origin)s origin and %(redirection)s redirection from %(source_scheme)s context.", 3 "test_page_title_template": "Referrer-Policy: %(title)s", 4 "specification": [ 5 { 6 // unset-referrer-policy 7 "title": "Referrer Policy is not explicitly defined", 8 "description": "Check that referrer URL follows the strict-origin-when-cross-origin policy when no explicit Referrer Policy is set.", 9 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policies", 10 "test_expansion": [ 11 { 12 // same-insecure 13 "expansion": "default", 14 "source_scheme": "http", 15 "source_context_list": "*", 16 "delivery_type": "*", 17 "delivery_value": null, 18 "redirection": "*", 19 "origin": "same-http", 20 "subresource": "*", 21 "expectation": "stripped-referrer" 22 }, 23 { 24 // same-insecure 25 "expansion": "override", 26 "source_scheme": "http", 27 "source_context_list": "*", 28 "delivery_type": "*", 29 "delivery_value": null, 30 "redirection": "swap-origin", 31 "origin": "same-http", 32 "subresource": "*", 33 "expectation": "origin" 34 }, 35 { 36 // cross-insecure 37 "expansion": "default", 38 "source_scheme": "http", 39 "source_context_list": "*", 40 "delivery_type": "*", 41 "delivery_value": null, 42 "redirection": "*", 43 "origin": "cross-http", 44 "subresource": "*", 45 "expectation": "origin" 46 }, 47 { 48 // upgrade-protocol 49 "expansion": "default", 50 "source_scheme": "http", 51 "source_context_list": "*", 52 "delivery_type": "*", 53 "delivery_value": null, 54 "redirection": "*", 55 "origin": [ 56 "same-https", 57 "cross-https" 58 ], 59 "subresource": "*", 60 "expectation": "origin" 61 }, 62 { 63 // downgrade-protocol 64 "expansion": "default", 65 "source_scheme": "https", 66 "source_context_list": "*", 67 "delivery_type": "*", 68 "delivery_value": null, 69 "redirection": "*", 70 "origin": [ 71 "same-http", 72 "cross-http" 73 ], 74 "subresource": "*", 75 "expectation": "omitted" 76 }, 77 { 78 // same-secure 79 "expansion": "default", 80 "source_scheme": "https", 81 "source_context_list": "*", 82 "delivery_type": "*", 83 "delivery_value": null, 84 "redirection": "*", 85 "origin": "same-https", 86 "subresource": "*", 87 "expectation": "stripped-referrer" 88 }, 89 { 90 // same-secure 91 "expansion": "override", 92 "source_scheme": "https", 93 "source_context_list": "*", 94 "delivery_type": "*", 95 "delivery_value": null, 96 "redirection": "swap-origin", 97 "origin": "same-https", 98 "subresource": "*", 99 "expectation": "origin" 100 }, 101 { 102 // cross-secure 103 "expansion": "default", 104 "source_scheme": "https", 105 "source_context_list": "*", 106 "delivery_type": "*", 107 "delivery_value": null, 108 "redirection": "*", 109 "origin": "cross-https", 110 "subresource": "*", 111 "expectation": "origin" 112 } 113 ] 114 }, 115 { 116 // meta tag default 117 "title": "<meta rel=referrer> is set to the legacy keyword 'default'", 118 "description": "Check that the 'default' legacy keyword results in behavior equivalent to the default policy (currently strict-origin-when-cross-origin)", 119 "specification_url": "https://html.spec.whatwg.org/multipage/semantics.html#the-meta-element", 120 "test_expansion": [ 121 { 122 // same-insecure 123 "expansion": "default", 124 "source_scheme": "http", 125 "source_context_list": "*", 126 "delivery_type": "meta", 127 "delivery_value": "default", 128 "redirection": "*", 129 "origin": "same-http", 130 "subresource": "*", 131 "expectation": "stripped-referrer" 132 }, 133 { 134 // same-insecure 135 "expansion": "override", 136 "source_scheme": "http", 137 "source_context_list": "*", 138 "delivery_type": "meta", 139 "delivery_value": "default", 140 "redirection": "swap-origin", 141 "origin": "same-http", 142 "subresource": "*", 143 "expectation": "origin" 144 }, 145 { 146 // cross-insecure 147 "expansion": "default", 148 "source_scheme": "http", 149 "source_context_list": "*", 150 "delivery_type": "meta", 151 "delivery_value": "default", 152 "redirection": "*", 153 "origin": "cross-http", 154 "subresource": "*", 155 "expectation": "origin" 156 }, 157 { 158 // upgrade-protocol 159 "expansion": "default", 160 "source_scheme": "http", 161 "source_context_list": "*", 162 "delivery_type": "meta", 163 "delivery_value": "default", 164 "redirection": "*", 165 "origin": [ 166 "same-https", 167 "cross-https" 168 ], 169 "subresource": "*", 170 "expectation": "origin" 171 }, 172 { 173 // downgrade-protocol 174 "expansion": "default", 175 "source_scheme": "https", 176 "source_context_list": "*", 177 "delivery_type": "meta", 178 "delivery_value": "default", 179 "redirection": "*", 180 "origin": [ 181 "same-http", 182 "cross-http" 183 ], 184 "subresource": "*", 185 "expectation": "omitted" 186 }, 187 { 188 // same-secure 189 "expansion": "default", 190 "source_scheme": "https", 191 "source_context_list": "*", 192 "delivery_type": "meta", 193 "delivery_value": "default", 194 "redirection": "*", 195 "origin": "same-https", 196 "subresource": "*", 197 "expectation": "stripped-referrer" 198 }, 199 { 200 // same-secure 201 "expansion": "override", 202 "source_scheme": "https", 203 "source_context_list": "*", 204 "delivery_type": "meta", 205 "delivery_value": "default", 206 "redirection": "swap-origin", 207 "origin": "same-https", 208 "subresource": "*", 209 "expectation": "origin" 210 }, 211 { 212 // cross-secure 213 "expansion": "default", 214 "source_scheme": "https", 215 "source_context_list": "*", 216 "delivery_type": "meta", 217 "delivery_value": "default", 218 "redirection": "*", 219 "origin": "cross-https", 220 "subresource": "*", 221 "expectation": "origin" 222 } 223 ] 224 }, 225 { 226 // no-referrer 227 "title": "Referrer Policy is set to 'no-referrer'", 228 "description": "Check that sub-resource never gets the referrer URL.", 229 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer", 230 "test_expansion": [ 231 { 232 // generic 233 "expansion": "default", 234 "source_scheme": "*", 235 "source_context_list": "*", 236 "delivery_type": "*", 237 "delivery_value": "no-referrer", 238 "redirection": "*", 239 "origin": "*", 240 "subresource": "*", 241 "expectation": "omitted" 242 } 243 ] 244 }, 245 { 246 // meta tag never 247 "title": "<meta rel=referrer> is set to the legacy value 'never'", 248 "description": "Check that the legacy <meta> value 'never' is equivalent to the 'no-referrer' policy", 249 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer", 250 "test_expansion": [ 251 { 252 // generic 253 "expansion": "default", 254 "source_scheme": "*", 255 "source_context_list": "*", 256 "delivery_type": "meta", 257 "delivery_value": "never", 258 "redirection": "*", 259 "origin": "*", 260 "subresource": "*", 261 "expectation": "omitted" 262 } 263 ] 264 }, 265 { 266 // no-referrer-when-downgrade 267 "title": "Referrer Policy is set to 'no-referrer-when-downgrade'", 268 "description": "Check that non a priori insecure subresource gets the full Referrer URL. A priori insecure subresource gets no referrer information.", 269 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer-when-downgrade", 270 "test_expansion": [ 271 { 272 // insecure-protocol 273 "expansion": "default", 274 "source_scheme": "http", 275 "source_context_list": "*", 276 "delivery_type": "*", 277 "delivery_value": "no-referrer-when-downgrade", 278 "redirection": "*", 279 "origin": [ 280 "same-http", 281 "cross-http" 282 ], 283 "subresource": "*", 284 "expectation": "stripped-referrer" 285 }, 286 { 287 // upgrade-protocol 288 "expansion": "default", 289 "source_scheme": "http", 290 "source_context_list": "*", 291 "delivery_type": "*", 292 "delivery_value": "no-referrer-when-downgrade", 293 "redirection": "*", 294 "origin": [ 295 "same-https", 296 "cross-https" 297 ], 298 "subresource": "*", 299 "expectation": "stripped-referrer" 300 }, 301 { 302 // downgrade-protocol 303 "expansion": "default", 304 "source_scheme": "https", 305 "source_context_list": "*", 306 "delivery_type": "*", 307 "delivery_value": "no-referrer-when-downgrade", 308 "redirection": "*", 309 "origin": [ 310 "same-http", 311 "cross-http" 312 ], 313 "subresource": "*", 314 "expectation": "omitted" 315 }, 316 { 317 // secure-protocol 318 "expansion": "default", 319 "source_scheme": "https", 320 "source_context_list": "*", 321 "delivery_type": "*", 322 "delivery_value": "no-referrer-when-downgrade", 323 "redirection": "*", 324 "origin": [ 325 "same-https", 326 "cross-https" 327 ], 328 "subresource": "*", 329 "expectation": "stripped-referrer" 330 } 331 ] 332 }, 333 { 334 // origin 335 "title": "Referrer Policy is set to 'origin'", 336 "description": "Check that all subresources in all casses get only the origin portion of the referrer URL.", 337 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-origin", 338 "test_expansion": [ 339 { 340 // generic 341 "expansion": "default", 342 "source_scheme": "*", 343 "source_context_list": "*", 344 "delivery_type": "*", 345 "delivery_value": "origin", 346 "redirection": "*", 347 "origin": "*", 348 "subresource": "*", 349 "expectation": "origin" 350 } 351 ] 352 }, 353 { 354 // same-origin 355 "title": "Referrer Policy is set to 'same-origin'", 356 "description": "Check that cross-origin subresources get no referrer information and same-origin get the stripped referrer URL.", 357 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin", 358 "test_expansion": [ 359 { 360 // same-origin-insecure 361 "expansion": "default", 362 "source_scheme": "http", 363 "source_context_list": "*", 364 "delivery_type": "*", 365 "delivery_value": "same-origin", 366 "redirection": "*", 367 "origin": "same-http", 368 "subresource": "*", 369 "expectation": "stripped-referrer" 370 }, 371 { 372 // same-origin-secure-default 373 "expansion": "default", 374 "source_scheme": "https", 375 "source_context_list": "*", 376 "delivery_type": "*", 377 "delivery_value": "same-origin", 378 "redirection": "*", 379 "origin": "same-https", 380 "subresource": "*", 381 "expectation": "stripped-referrer" 382 }, 383 { 384 // same-origin-insecure 385 "expansion": "override", 386 "source_scheme": "*", 387 "source_context_list": "*", 388 "delivery_type": "*", 389 "delivery_value": "same-origin", 390 "redirection": "swap-origin", 391 "origin": [ 392 "same-http", 393 "same-https" 394 ], 395 "subresource": "*", 396 "expectation": "omitted" 397 }, 398 { 399 // cross-origin 400 "expansion": "default", 401 "source_scheme": "*", 402 "source_context_list": "*", 403 "delivery_type": "*", 404 "delivery_value": "same-origin", 405 "redirection": "*", 406 "origin": [ 407 "cross-http", 408 "cross-https" 409 ], 410 "subresource": "*", 411 "expectation": "omitted" 412 } 413 ] 414 }, 415 { 416 // origin-when-cross-origin 417 "title": "Referrer Policy is set to 'origin-when-cross-origin'", 418 "description": "Check that cross-origin subresources get the origin portion of the referrer URL and same-origin get the stripped referrer URL.", 419 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-origin-when-cross-origin", 420 "test_expansion": [ 421 { 422 // same-origin-insecure 423 "expansion": "default", 424 "source_scheme": "http", 425 "source_context_list": "*", 426 "delivery_type": "*", 427 "delivery_value": "origin-when-cross-origin", 428 "redirection": "*", 429 "origin": "same-http", 430 "subresource": "*", 431 "expectation": "stripped-referrer" 432 }, 433 { 434 // same-origin-secure-default 435 "expansion": "default", 436 "source_scheme": "https", 437 "source_context_list": "*", 438 "delivery_type": "*", 439 "delivery_value": "origin-when-cross-origin", 440 "redirection": "*", 441 "origin": "same-https", 442 "subresource": "*", 443 "expectation": "stripped-referrer" 444 }, 445 { 446 // same-origin-upgrade 447 "expansion": "default", 448 "source_scheme": "http", 449 "source_context_list": "*", 450 "delivery_type": "*", 451 "delivery_value": "origin-when-cross-origin", 452 "redirection": "*", 453 "origin": "same-https", 454 "subresource": "*", 455 "expectation": "origin" 456 }, 457 { 458 // same-origin-downgrade 459 "expansion": "default", 460 "source_scheme": "https", 461 "source_context_list": "*", 462 "delivery_type": "*", 463 "delivery_value": "origin-when-cross-origin", 464 "redirection": "*", 465 "origin": "same-http", 466 "subresource": "*", 467 "expectation": "origin" 468 }, 469 { 470 // same-origin-insecure 471 "expansion": "override", 472 "source_scheme": "*", 473 "source_context_list": "*", 474 "delivery_type": "*", 475 "delivery_value": "origin-when-cross-origin", 476 "redirection": "swap-origin", 477 "origin": [ 478 "same-http", 479 "same-https" 480 ], 481 "subresource": "*", 482 "expectation": "origin" 483 }, 484 { 485 // cross-origin 486 "expansion": "default", 487 "source_scheme": "*", 488 "source_context_list": "*", 489 "delivery_type": "*", 490 "delivery_value": "origin-when-cross-origin", 491 "redirection": "*", 492 "origin": [ 493 "cross-http", 494 "cross-https" 495 ], 496 "subresource": "*", 497 "expectation": "origin" 498 } 499 ] 500 }, 501 { 502 // meta tag origin-when-crossorigin 503 "title": "<meta rel=referrer> is set to the legacy value 'origin-when-crossorigin'", 504 "description": "Check that the legacy <meta> value 'origin-when-crossorigin' is equivalent to the 'origin-when-cross-origin' policy", 505 "specification_url": "https://html.spec.whatwg.org/multipage/semantics.html#the-meta-element", 506 "test_expansion": [ 507 { 508 // same-origin-insecure 509 "expansion": "default", 510 "source_scheme": "http", 511 "source_context_list": "*", 512 "delivery_type": "meta", 513 "delivery_value": "origin-when-crossorigin", 514 "redirection": "*", 515 "origin": "same-http", 516 "subresource": "*", 517 "expectation": "stripped-referrer" 518 }, 519 { 520 // same-origin-secure-default 521 "expansion": "default", 522 "source_scheme": "https", 523 "source_context_list": "*", 524 "delivery_type": "meta", 525 "delivery_value": "origin-when-crossorigin", 526 "redirection": "*", 527 "origin": "same-https", 528 "subresource": "*", 529 "expectation": "stripped-referrer" 530 }, 531 { 532 // same-origin-upgrade 533 "expansion": "default", 534 "source_scheme": "http", 535 "source_context_list": "*", 536 "delivery_type": "meta", 537 "delivery_value": "origin-when-crossorigin", 538 "redirection": "*", 539 "origin": "same-https", 540 "subresource": "*", 541 "expectation": "origin" 542 }, 543 { 544 // same-origin-downgrade 545 "expansion": "default", 546 "source_scheme": "https", 547 "source_context_list": "*", 548 "delivery_type": "meta", 549 "delivery_value": "origin-when-crossorigin", 550 "redirection": "*", 551 "origin": "same-http", 552 "subresource": "*", 553 "expectation": "origin" 554 }, 555 { 556 // same-origin-insecure 557 "expansion": "override", 558 "source_scheme": "*", 559 "source_context_list": "*", 560 "delivery_type": "meta", 561 "delivery_value": "origin-when-crossorigin", 562 "redirection": "swap-origin", 563 "origin": [ 564 "same-http", 565 "same-https" 566 ], 567 "subresource": "*", 568 "expectation": "origin" 569 }, 570 { 571 // cross-origin 572 "expansion": "default", 573 "source_scheme": "*", 574 "source_context_list": "*", 575 "delivery_type": "meta", 576 "delivery_value": "origin-when-crossorigin", 577 "redirection": "*", 578 "origin": [ 579 "cross-http", 580 "cross-https" 581 ], 582 "subresource": "*", 583 "expectation": "origin" 584 } 585 ] 586 }, 587 { 588 // strict-origin 589 "title": "Referrer Policy is set to 'strict-origin'", 590 "description": "Check that non a priori insecure subresource gets only the origin portion of the referrer URL. A priori insecure subresource gets no referrer information.", 591 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin", 592 "test_expansion": [ 593 { 594 // insecure-protocol 595 "expansion": "default", 596 "source_scheme": "http", 597 "source_context_list": "*", 598 "delivery_type": "*", 599 "delivery_value": "strict-origin", 600 "redirection": "*", 601 "origin": [ 602 "same-http", 603 "cross-http" 604 ], 605 "subresource": "*", 606 "expectation": "origin" 607 }, 608 { 609 // upgrade-protocol 610 "expansion": "default", 611 "source_scheme": "http", 612 "source_context_list": "*", 613 "delivery_type": "*", 614 "delivery_value": "strict-origin", 615 "redirection": "*", 616 "origin": [ 617 "same-https", 618 "cross-https" 619 ], 620 "subresource": "*", 621 "expectation": "origin" 622 }, 623 { 624 // downgrade-protocol 625 "expansion": "default", 626 "source_scheme": "https", 627 "source_context_list": "*", 628 "delivery_type": "*", 629 "delivery_value": "strict-origin", 630 "redirection": "*", 631 "origin": [ 632 "same-http", 633 "cross-http" 634 ], 635 "subresource": "*", 636 "expectation": "omitted" 637 }, 638 { 639 // secure-protocol 640 "expansion": "default", 641 "source_scheme": "https", 642 "source_context_list": "*", 643 "delivery_type": "*", 644 "delivery_value": "strict-origin", 645 "redirection": "*", 646 "origin": [ 647 "same-https", 648 "cross-https" 649 ], 650 "subresource": "*", 651 "expectation": "origin" 652 } 653 ] 654 }, 655 { 656 // strict-origin-when-cross-origin 657 "title": "Referrer Policy is set to 'strict-origin-when-cross-origin'", 658 "description": "Check that a priori insecure subresource gets no referrer information. Otherwise, cross-origin subresources get the origin portion of the referrer URL and same-origin get the stripped referrer URL.", 659 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin", 660 "test_expansion": [ 661 { 662 // same-insecure 663 "expansion": "default", 664 "source_scheme": "http", 665 "source_context_list": "*", 666 "delivery_type": "*", 667 "delivery_value": "strict-origin-when-cross-origin", 668 "redirection": "*", 669 "origin": "same-http", 670 "subresource": "*", 671 "expectation": "stripped-referrer" 672 }, 673 { 674 // same-insecure 675 "expansion": "override", 676 "source_scheme": "http", 677 "source_context_list": "*", 678 "delivery_type": "*", 679 "delivery_value": "strict-origin-when-cross-origin", 680 "redirection": "swap-origin", 681 "origin": "same-http", 682 "subresource": "*", 683 "expectation": "origin" 684 }, 685 { 686 // cross-insecure 687 "expansion": "default", 688 "source_scheme": "http", 689 "source_context_list": "*", 690 "delivery_type": "*", 691 "delivery_value": "strict-origin-when-cross-origin", 692 "redirection": "*", 693 "origin": "cross-http", 694 "subresource": "*", 695 "expectation": "origin" 696 }, 697 { 698 // upgrade-protocol 699 "expansion": "default", 700 "source_scheme": "http", 701 "source_context_list": "*", 702 "delivery_type": "*", 703 "delivery_value": "strict-origin-when-cross-origin", 704 "redirection": "*", 705 "origin": [ 706 "same-https", 707 "cross-https" 708 ], 709 "subresource": "*", 710 "expectation": "origin" 711 }, 712 { 713 // downgrade-protocol 714 "expansion": "default", 715 "source_scheme": "https", 716 "source_context_list": "*", 717 "delivery_type": "*", 718 "delivery_value": "strict-origin-when-cross-origin", 719 "redirection": "*", 720 "origin": [ 721 "same-http", 722 "cross-http" 723 ], 724 "subresource": "*", 725 "expectation": "omitted" 726 }, 727 { 728 // same-secure 729 "expansion": "default", 730 "source_scheme": "https", 731 "source_context_list": "*", 732 "delivery_type": "*", 733 "delivery_value": "strict-origin-when-cross-origin", 734 "redirection": "*", 735 "origin": "same-https", 736 "subresource": "*", 737 "expectation": "stripped-referrer" 738 }, 739 { 740 // same-secure 741 "expansion": "override", 742 "source_scheme": "https", 743 "source_context_list": "*", 744 "delivery_type": "*", 745 "delivery_value": "strict-origin-when-cross-origin", 746 "redirection": "swap-origin", 747 "origin": "same-https", 748 "subresource": "*", 749 "expectation": "origin" 750 }, 751 { 752 // cross-secure 753 "expansion": "default", 754 "source_scheme": "https", 755 "source_context_list": "*", 756 "delivery_type": "*", 757 "delivery_value": "strict-origin-when-cross-origin", 758 "redirection": "*", 759 "origin": "cross-https", 760 "subresource": "*", 761 "expectation": "origin" 762 } 763 ] 764 }, 765 { 766 // unsafe-url 767 "title": "Referrer Policy is set to 'unsafe-url'", 768 "description": "Check that all sub-resources get the stripped referrer URL.", 769 "specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-unsafe-url", 770 "test_expansion": [ 771 { 772 // generic 773 "expansion": "default", 774 "source_scheme": "*", 775 "source_context_list": "*", 776 "delivery_type": "*", 777 "delivery_value": "unsafe-url", 778 "redirection": "*", 779 "origin": "*", 780 "subresource": "*", 781 "expectation": "stripped-referrer" 782 } 783 ] 784 }, 785 { 786 // meta tag always 787 "title": "<meta rel=referrer> is set to the legacy value 'always'", 788 "description": "Check that the legacy <meta> value 'always' is equivalent to the 'unsafe-url' policy", 789 "specification_url": "https://html.spec.whatwg.org/multipage/semantics.html#the-meta-element", 790 "test_expansion": [ 791 { 792 // generic 793 "expansion": "default", 794 "source_scheme": "*", 795 "source_context_list": "*", 796 "delivery_type": "meta", 797 "delivery_value": "always", 798 "redirection": "*", 799 "origin": "*", 800 "subresource": "*", 801 "expectation": "stripped-referrer" 802 } 803 ] 804 } 805 ], 806 "delivery_key": "referrerPolicy", 807 "excluded_tests": [ 808 { 809 // upgraded-protocol-workers 810 "expansion": "*", 811 "source_scheme": "http", 812 "source_context_list": "*", 813 "delivery_type": "*", 814 "delivery_value": "*", 815 "redirection": "*", 816 "origin": [ 817 "same-https", 818 "cross-https" 819 ], 820 "subresource": [ 821 "worker-classic", 822 "worker-module", 823 "sharedworker-classic", 824 "sharedworker-module" 825 ], 826 "expectation": "*" 827 }, 828 { 829 // mixed-content-insecure-subresources 830 "expansion": "*", 831 "source_scheme": "https", 832 "source_context_list": "*", 833 "delivery_type": "*", 834 "delivery_value": "*", 835 "redirection": "*", 836 "origin": [ 837 "same-http", 838 "same-http-downgrade", 839 "cross-http", 840 "cross-http-downgrade", 841 "same-ws", 842 "same-ws-downgrade", 843 "cross-ws", 844 "cross-ws-downgrade" 845 ], 846 "subresource": "*", 847 "expectation": "*" 848 }, 849 { 850 // overhead-for-redirection 851 "expansion": "*", 852 "source_scheme": "*", 853 "source_context_list": "*", 854 "delivery_type": "*", 855 "delivery_value": "*", 856 "redirection": [ 857 "keep-origin", 858 "swap-origin" 859 ], 860 "origin": "*", 861 "subresource": [ 862 "a-tag", 863 "area-tag" 864 ], 865 "expectation": "*" 866 }, 867 { 868 // source-https-unsupported-by-web-platform-tests-runners 869 "expansion": "*", 870 "source_scheme": "https", 871 "source_context_list": "*", 872 "delivery_type": "*", 873 "delivery_value": "*", 874 "redirection": "*", 875 "origin": "*", 876 "subresource": "*", 877 "expectation": "*" 878 }, 879 { 880 // <link rel=noreferrer>'s delivery_value should be no-referrer 881 "expansion": "*", 882 "source_scheme": "*", 883 "source_context_list": "*", 884 "delivery_type": "rel-noref", 885 "delivery_value": [ 886 null, 887 "no-referrer-when-downgrade", 888 "same-origin", 889 "origin", 890 "origin-when-cross-origin", 891 "strict-origin", 892 "strict-origin-when-cross-origin", 893 "unsafe-url" 894 ], 895 "redirection": "*", 896 "origin": "*", 897 "subresource": "*", 898 "expectation": "*" 899 }, 900 { 901 // redirections that referrer-policy tests don't care 902 "expansion": "*", 903 "source_scheme": "*", 904 "source_context_list": "*", 905 "delivery_type": "*", 906 "delivery_value": "*", 907 "redirection": [ 908 "keep-scheme", 909 "swap-scheme", 910 "downgrade" 911 ], 912 "origin": "*", 913 "subresource": "*", 914 "expectation": "*" 915 }, 916 { 917 // origins that referrer-policy tests don't care 918 "expansion": "*", 919 "source_scheme": "*", 920 "source_context_list": "*", 921 "delivery_type": "*", 922 "delivery_value": "*", 923 "redirection": "*", 924 "origin": [ 925 "same-http-downgrade", 926 "cross-http-downgrade", 927 "same-ws-downgrade", 928 "cross-ws-downgrade" 929 ], 930 "subresource": "*", 931 "expectation": "*" 932 }, 933 { 934 // subresource values not yet tested 935 "expansion": "*", 936 "source_scheme": "*", 937 "source_context_list": "*", 938 "delivery_type": "*", 939 "delivery_value": "*", 940 "redirection": "*", 941 "subresource": [ 942 "area-tag", 943 "audio-tag", 944 "beacon", 945 "link-css-tag", 946 "link-prefetch-tag", 947 "object-tag", 948 "picture-tag", 949 "sharedworker-import", 950 "sharedworker-import-data", 951 "video-tag", 952 "websocket", 953 "worker-import", 954 "worker-import-data", 955 "worklet-animation", 956 "worklet-animation-import-data", 957 "worklet-audio", 958 "worklet-audio-import-data", 959 "worklet-layout", 960 "worklet-layout-import-data", 961 "worklet-paint", 962 "worklet-paint-import-data" 963 ], 964 "origin": "*", 965 "expectation": "*" 966 }, 967 { 968 // source_context_list values not yet tested 969 "expansion": "*", 970 "source_scheme": "*", 971 "source_context_list": [ 972 "iframe-blank-inherit", 973 "sharedworker-classic", 974 "sharedworker-classic-data", 975 "sharedworker-module", 976 "sharedworker-module-data", 977 "worker-classic-data", 978 "worker-module-data" 979 ], 980 "delivery_type": "*", 981 "delivery_value": "*", 982 "redirection": "*", 983 "subresource": "*", 984 "origin": "*", 985 "expectation": "*" 986 }, 987 { 988 // source_context_list values not for referrer-policy tests 989 "expansion": "*", 990 "source_scheme": "*", 991 "source_context_list": [ 992 "worker-classic-inherit", 993 "worker-module-inherit" 994 ], 995 "delivery_type": "*", 996 "delivery_value": "*", 997 "redirection": "*", 998 "subresource": "*", 999 "origin": "*", 1000 "expectation": "*" 1001 } 1002 ], 1003 "source_context_schema": { 1004 "supported_delivery_type": { 1005 "top": [ 1006 "meta", 1007 "http-rp" 1008 ], 1009 "iframe": [ 1010 "meta", 1011 "http-rp" 1012 ], 1013 "iframe-blank": [ 1014 "meta" 1015 ], 1016 "srcdoc": [ 1017 "meta" 1018 ], 1019 "worker-classic": [ 1020 "http-rp" 1021 ], 1022 "worker-module": [ 1023 "http-rp" 1024 ], 1025 "worker-classic-data": [], 1026 "worker-module-data": [], 1027 "sharedworker-classic": [ 1028 "http-rp" 1029 ], 1030 "sharedworker-module": [ 1031 "http-rp" 1032 ], 1033 "sharedworker-classic-data": [], 1034 "sharedworker-module-data": [] 1035 } 1036 }, 1037 "subresource_schema": { 1038 "supported_delivery_type": { 1039 // List of elements that support "attr" delivery type can be followed 1040 // from the cross reference of: 1041 // https://html.spec.whatwg.org/C/#referrer-policy-attribute 1042 "a-tag": [ 1043 "attr", 1044 "rel-noref" 1045 ], 1046 "area-tag": [ 1047 "attr" 1048 ], 1049 "audio-tag": [], 1050 "beacon": [], 1051 // Fetch API supports `init["referrerPolicy"]` in `Request`: 1052 // https://fetch.spec.whatwg.org/#dom-request. 1053 // TODO(https://github.com/web-platform-tests/wpt/issues/21815): 1054 // Add support for this. Currently `common.sub.js` doesn't support this. 1055 "fetch": [], 1056 "iframe-tag": [ 1057 "attr" 1058 ], 1059 "img-tag": [ 1060 "attr" 1061 ], 1062 // TODO(https://github.com/web-platform-tests/wpt/issues/21815): 1063 // Support "attr" in the following `<link>`-related subresources. 1064 // The current referrrer-policy test helper doesn't support 1065 // checking referrer results via <link> elements. 1066 "link-css-tag": [], 1067 "link-prefetch-tag": [], 1068 "object-tag": [], 1069 // `<img>` supports referrerpolicy attribute, 1070 // so `<img>` inside `<picture>` also supports the attribute. 1071 // TODO(https://github.com/web-platform-tests/wpt/issues/21815): 1072 // Support this. 1073 "picture-tag": [], 1074 "script-tag": [ 1075 "attr" 1076 ], 1077 "sharedworker-classic": [], 1078 "sharedworker-import": [], 1079 "sharedworker-import-data": [], 1080 "sharedworker-module": [], 1081 "video-tag": [], 1082 "websocket": [], 1083 "worker-classic": [], 1084 "worker-import": [], 1085 "worker-import-data": [], 1086 "worker-module": [], 1087 "worklet-animation": [], 1088 "worklet-animation-import-data": [], 1089 "worklet-audio": [], 1090 "worklet-audio-import-data": [], 1091 "worklet-layout": [], 1092 "worklet-layout-import-data": [], 1093 "worklet-paint": [], 1094 "worklet-paint-import-data": [], 1095 "xhr": [] 1096 } 1097 }, 1098 "test_expansion_schema": { 1099 "delivery_type": [ 1100 "attr", 1101 "rel-noref", 1102 "http-rp", 1103 "meta" 1104 ], 1105 "delivery_value": [ 1106 null, 1107 "no-referrer", 1108 "no-referrer-when-downgrade", 1109 "same-origin", 1110 "origin", 1111 "origin-when-cross-origin", 1112 "strict-origin", 1113 "strict-origin-when-cross-origin", 1114 "unsafe-url", 1115 "default", 1116 "always", 1117 "never", 1118 "origin-when-crossorigin" 1119 ], 1120 "expectation": [ 1121 "omitted", 1122 "origin", 1123 "stripped-referrer" 1124 ] 1125 } 1126} 1127