Update split-cache.html test.

fetch/http-cache/http-cache.js

@@ -126,7 +126,7 @@ function fetchInit (requests, config) {
   if ('name' in config) init.headers.push(['Test-Name', config.name])
   if ('request_body' in config) init.body = config['request_body']
   if ('mode' in config) init.mode = config['mode']
-  if ('credentials' in config) init.mode = config['credentials']
+  if ('credentials' in config) init.credentials = config['credentials']
   if ('cache' in config) init.cache = config['cache']
   init.headers.push(['Test-Requests', btoa(JSON.stringify(requests))])
   return init

fetch/http-cache/resources/http-cache.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python
-
 import datetime
 import json
 import time
@@ -15,6 +14,7 @@
 def main(request, response):
     dispatch = request.GET.first(b"dispatch", None)
     uuid = request.GET.first(b"uuid", None)
+    response.headers.set(b"Access-Control-Allow-Credentials", b"true")
 
     if request.method == u"OPTIONS":
         return handle_preflight(uuid, request, response)
@@ -32,9 +32,9 @@ def main(request, response):
 
 def handle_preflight(uuid, request, response):
     response.status = (200, b"OK")
-    response.headers.set(b"Access-Control-Allow-Origin", b"*")
+    response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"origin") or '*')
     response.headers.set(b"Access-Control-Allow-Methods", b"GET")
-    response.headers.set(b"Access-Control-Allow-Headers", b"*")
+    response.headers.set(b"Access-Control-Allow-Headers", request.headers.get(b"Access-Control-Request-Headers") or "*")
     response.headers.set(b"Access-Control-Max-Age", b"86400")
     return b"Preflight request"
 

fetch/http-cache/split-cache.html

@@ -26,21 +26,36 @@
   const popupBaseURL = POPUP_HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
   const localBaseURL = LOCAL_HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
 
+  // Note: Navigation requests are requested with credentials. Make sure the
+  // fetch requests are also requested with credentials. This ensures passing
+  // this test is not simply the consequence of discriminating anonymous and
+  // credentialled request in the HTTP cache.
+  //
+  // See https://github.com/whatwg/fetch/issues/1253
   var test = {
     requests: [
       {
         response_headers: [
-              ["Expires", (30 * 24 * 60 * 60)]
-            ],
-        base_url: localBaseURL
+          ["Expires", (30 * 24 * 60 * 60)],
+          ["Access-Control-Allow-Origin", POPUP_HTTP_ORIGIN],
+        ],
+        base_url: localBaseURL,
+        credentials: "include",
       },
       {
-        base_url: localBaseURL
+        response_headers: [
+          ["Access-Control-Allow-Origin", POPUP_HTTP_ORIGIN],
+        ],
+        base_url: localBaseURL,
+        credentials: "include",
       },
       {
         request_headers: [
           ["Cache-Control", "no-cache"]
         ],
+        response_headers: [
+          ["Access-Control-Allow-Origin", POPUP_HTTP_ORIGIN],
+        ],
         // If the popup's request was a cache hit, we would only expect 2
         // requests to the server. If it was a cache miss, we would expect 3.
         // load_resource_in_iframe does not affect the expectation as, even
@@ -49,7 +64,8 @@
         expected_response_headers: [
           ["server-request-count", is_cross_site_test ? "3" : "2"]
         ],
-        base_url: localBaseURL
+        base_url: localBaseURL,
+        credentials: "include",
       }
     ]
   }