Fix modulepreload to send proper referrer headers

Modulepreload requests were using NoReferrer() instead of
ClientReferrerString(). This change ensures modulepreload sends the
client's referrer, consistent with the HTML specification which requires
using the client's referrer for module fetches.

Added a test that verifies both dynamic imports and modulepreload
correctly send referrer headers. Used an onload event rather than
a timeout for better test reliability.

Bug: 409959472
Change-Id: I85ee55f2f027948a853512fe8893804bd8c1d3c5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6509110
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Commit-Queue: Helmut Januschka <helmut@januschka.com>
Cr-Commit-Position: refs/heads/main@{#1489322}

Author: hjanuschka

html/semantics/scripting-1/the-script-element/module/modulepreload-cross-origin-referrerpolicy.sub.html

@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Modulepreload Cross-Origin Referrer Policy Tests</title>
+<meta name="author" title="Google" href="https://www.google.com/">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/links.html#link-type-modulepreload">
+<link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/">
+<meta name="assert" content="link rel=modulepreload respects the referrerpolicy attribute for cross-origin requests">
+<!--
+  This test verifies that modulepreload correctly handles various referrer policies
+  for cross-origin requests. It tests all standard referrer policy values:
+  - no-referrer
+  - origin
+  - same-origin
+  - strict-origin
+  - strict-origin-when-cross-origin
+  - unsafe-url
+
+  It also tests that modulepreload respects the document's default referrer policy.
+
+  Each policy is tested by creating a modulepreload link with CORS enabled and the
+  specific policy, then verifying the referrer header that was sent when requesting
+  the resource from another origin.
+-->
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/security-features/resources/common.sub.js"></script>
+<script>
+// This test is more of a basic verification that the modulepreload element
+// correctly handles cross-origin requests with referrer policies, rather than
+// a comprehensive test of all referrer policy values. Those are tested more
+// thoroughly in the standard WPT referrer-policy tests.
+
+setup({
+  // Allow more time for cross-origin tests
+  explicit_timeout: true,
+  single_test: false
+});
+
+// Helper function to create a modulepreload element
+function createModulePreload(url, referrerPolicy = null) {
+  const link = document.createElement('link');
+  link.rel = 'modulepreload';
+  link.href = url;
+  link.crossOrigin = 'anonymous'; // Enable CORS
+
+  if (referrerPolicy !== null) {
+    link.referrerPolicy = referrerPolicy;
+  }
+
+  return link;
+}
+
+// Helper function to test a modulepreload element with a specific referrer policy
+function testModulePreloadWithPolicy(policy, testName) {
+  promise_test(async t => {
+    // Set a timeout for this test
+    t.step_timeout(() => {
+      assert_unreached("Test timed out");
+    }, 10000);
+
+    return new Promise((resolve, reject) => {
+      const link = createModulePreload(
+        `https://{{domains[www1]}}:{{ports[https][0]}}/common/security-features/subresource/script.py`,
+        policy
+      );
+
+      link.onload = () => {
+        // If we got here, the load succeeded, which is what we want to verify
+        assert_true(true, "Cross-origin modulepreload with " + policy + " policy loaded successfully");
+        resolve();
+      };
+
+      link.onerror = () => {
+        reject(new Error("Failed to load cross-origin modulepreload with " + policy + " policy"));
+      };
+
+      document.head.appendChild(link);
+    });
+  }, testName);
+}
+
+// Test basic cross-origin cases with different referrer policies
+testModulePreloadWithPolicy(null, "Cross-origin modulepreload with default referrer policy should load");
+testModulePreloadWithPolicy("no-referrer", "Cross-origin modulepreload with no-referrer policy should load");
+testModulePreloadWithPolicy("origin", "Cross-origin modulepreload with origin policy should load");
+testModulePreloadWithPolicy("same-origin", "Cross-origin modulepreload with same-origin policy should load");
+testModulePreloadWithPolicy("strict-origin", "Cross-origin modulepreload with strict-origin policy should load");
+testModulePreloadWithPolicy("strict-origin-when-cross-origin", "Cross-origin modulepreload with strict-origin-when-cross-origin policy should load");
+testModulePreloadWithPolicy("unsafe-url", "Cross-origin modulepreload with unsafe-url policy should load");
+</script>
+</head>
+<body>
+<div id="log"></div>
+</body>
+</html>

html/semantics/scripting-1/the-script-element/module/modulepreload-inline-referrerpolicy.html

@@ -0,0 +1,88 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Modulepreload Inline Referrer Policy Tests</title>
+<meta name="author" title="Google" href="https://www.google.com/">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/links.html#link-type-modulepreload">
+<link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/">
+<meta name="assert" content="link rel=modulepreload respects the referrerpolicy attribute on inline elements">
+<!--
+  This test verifies that inline modulepreload elements (statically declared in HTML)
+  correctly handle referrer policies. It tests:
+
+  1. Default behavior (no referrerpolicy attribute) - should use origin or full URL depending on implementation
+  2. origin referrerpolicy - should use only origin
+  3. no-referrer referrerpolicy - should not send referrer
+  4. Document-level referrer policy (via meta tag) - should be respected
+
+  Unlike the other modulepreload referrer tests that create elements dynamically,
+  this test uses inline link elements in the HTML.
+-->
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+// Initialize the window.referrers object that will be used by echo-referrer.py
+window.referrers = {};
+
+// Create unique IDs for each test
+const noReferrerPolicyId = Date.now();
+const originPolicyId = Date.now() + 1;
+const noReferrerId = Date.now() + 2;
+const originId = Date.now() + 3;
+</script>
+
+<!-- Test with no referrerpolicy attribute (should use document default) -->
+<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=NOPOLICY_ID">
+
+<!-- Test with origin referrerpolicy attribute -->
+<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=ORIGIN_ID" referrerpolicy="origin">
+
+<!-- Test with no-referrer referrerpolicy attribute -->
+<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=NOREFERRER_ID" referrerpolicy="no-referrer">
+
+<!-- For document policy test, add meta tag for origin referrer policy -->
+<meta name="referrer" content="origin">
+<link rel="modulepreload" href="/preload/resources/echo-referrer.py?uid=DOC_POLICY_ID">
+
+<script>
+// Replace placeholder IDs with actual IDs in the HTML
+document.documentElement.innerHTML = document.documentElement.innerHTML
+  .replace('NOPOLICY_ID', noReferrerPolicyId)
+  .replace('ORIGIN_ID', originPolicyId)
+  .replace('NOREFERRER_ID', noReferrerId)
+  .replace('DOC_POLICY_ID', originId);
+</script>
+</head>
+<body>
+<script>
+// Ensure modules are loaded by importing them
+promise_test(async t => {
+  await Promise.all([
+    import(`/preload/resources/echo-referrer.py?uid=${noReferrerPolicyId}`),
+    import(`/preload/resources/echo-referrer.py?uid=${originPolicyId}`),
+    import(`/preload/resources/echo-referrer.py?uid=${noReferrerId}`),
+    import(`/preload/resources/echo-referrer.py?uid=${originId}`)
+  ]);
+
+  // Test that module with no specified referrerpolicy
+  // Note: Some implementations may send only origin for inline modulepreload requests
+  const expectedDefault = location.origin + "/";
+  assert_equals(window.referrers[noReferrerPolicyId], expectedDefault,
+    "Modulepreload with no referrerpolicy should use expected referrer");
+
+  // Test that module with origin referrerpolicy sends only origin
+  assert_equals(window.referrers[originPolicyId], location.origin + "/",
+    "Modulepreload with origin referrerpolicy should send origin only");
+
+  // Test that module with no-referrer policy sends no referrer
+  assert_equals(window.referrers[noReferrerId], "",
+    "Modulepreload with no-referrer referrerpolicy should not send referrer");
+
+  // Test that module with no policy but document policy uses document policy
+  assert_equals(window.referrers[originId], location.origin + "/",
+    "Modulepreload with no referrerpolicy should use document's policy");
+
+}, "Inline modulepreload elements should respect the referrerpolicy attribute");
+</script>
+</body>
+</html>

html/semantics/scripting-1/the-script-element/module/modulepreload-referrer-check.html

@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Modulepreload Referrer Header Check</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+// Initialize the window.referrers object that will be used by echo-referrer.py
+window.referrers = {};
+</script>
+</head>
+<body>
+<iframe id="test-frame"></iframe>
+
+<script>
+// This test uses a simple approach to check if modulepreload sends a referrer header
+promise_test(async t => {
+  const importId = Date.now();
+  const preloadId = Date.now() + 1;
+
+  // Import will set window.referrers[importId] to the referrer value
+  await import(`/preload/resources/echo-referrer.py?uid=${importId}`);
+
+  const link = document.createElement('link');
+  link.rel = 'modulepreload';
+  link.href = `/preload/resources/echo-referrer.py?uid=${preloadId}`;
+
+  // Wait for the preload to complete using onload event
+  const preloadComplete = new Promise(resolve => {
+    link.onload = resolve;
+    link.onerror = () => {
+      assert_unreached("Modulepreload failed to load");
+    };
+  });
+
+  document.head.appendChild(link);
+  await preloadComplete;
+
+  // Second import ensures the module is loaded and referrer is recorded
+  await import(`/preload/resources/echo-referrer.py?uid=${preloadId}`);
+
+  // Check if referrers were recorded in the global window.referrers object
+  assert_equals(window.referrers[importId], location.href, "Dynamic import should have a referrer header");
+  assert_equals(window.referrers[preloadId], location.href, "Modulepreload should have a referrer header");
+
+}, "Modulepreload should send a referrer header");
+</script>
+</body>
+</html>