Consider ways in which we could test user agent's resource blocking behaviors.

[mikewest]

whatwg/fetch#1840 aims to explain user agent interventions that block requests for certain resource types and/or replace potentially harmful responses with something benign. While the exact set of resources against which user agents intervene is not (and likely cannot be) standardized, https://explainers-by-googlers.github.io/script-blocking/#testing suggests one approach to testing which might allow vendors to verify that their interventions are consistently positioned within Fetch, but that infrastructure hasn't yet been built or agreed-upon. In short: we could define web driver hooks to allow specific domains or resources to be blocked by the UA's infrastructure, which should give us the ability to verify the web-facing behavior.

Shims/replacements could likewise be tested if similar hooks were created.

WDYT?

cc @annevk @MayyaSunil

[gsnedders]

https://explainers-by-googlers.github.io/script-blocking/#testing suggests:

That is, phishing.web-platform.test could be added to user agents' lists of phishing sites, and represented within WPT via substitutions against {{domains[phishing]}}.

Do we think that just going after the phishing case suffices here? I guess when Fetch currently only defines a generic override mechanism we only need a single case (but we should name it "fetch-overridden" or something to make it clear it's more generic).

And that suggestion would make it same-site as the primary domain, but I guess that's ok, and that does happen today in browsers (both as part of anti-CNAME-cloaking measures and as a result of not everything with user content being on the PSL).

The bigger question on my side is whether we want to be able to have same-origin requests which are overridden? Because especially in the anti-tracking/fingerprinting cases there are browsers which do that, unless I'm very much mistaken.

And to ask a more concrete WPT infra question, more directed at those implementing runners: do we want to expose this via WebDriver, or do we want to the follow the status-quo of domain overrides going via browser-specific routes?

[mikewest]

When I wrote the doc, I think I was imagining that checking multiple categories might be valuable. But I think you're actually right: we're really aiming to evaluate a single generic behavior. fetch-overridden would be enough.

I also agree that same-site vs cross-site isn't particularly important. User agents intervene against both, often based entirely on the origin of the resource being requested without much influence from the site of the context into which that resource is fetched.

Same-origin is less common afaik, but there's no reason not to test it.

I'll defer on the infra question to people who know things about WPT infra. :)