147 lines
4.6 KiB
HTML
147 lines
4.6 KiB
HTML
<!DOCTYPE html>
|
|
<script src="/resources/testharness.js"></script>
|
|
<script src="/resources/testharnessreport.js"></script>
|
|
<body>
|
|
<script>
|
|
function readableURL(url) {
|
|
return url.replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t");
|
|
}
|
|
|
|
var should_load = [
|
|
`/images/green-1x1.png`,
|
|
`/images/gre\nen-1x1.png`,
|
|
`/images/gre\ten-1x1.png`,
|
|
`/images/gre\ren-1x1.png`,
|
|
`/images/green-1x1.png?img=<`,
|
|
`/images/green-1x1.png?img=<`,
|
|
`/images/green-1x1.png?img=%3C`,
|
|
`/images/gr\neen-1x1.png?img=%3C`,
|
|
`/images/gr\reen-1x1.png?img=%3C`,
|
|
`/images/gr\teen-1x1.png?img=%3C`,
|
|
`/images/green-1x1.png?img= `,
|
|
`/images/gr\neen-1x1.png?img= `,
|
|
`/images/gr\reen-1x1.png?img= `,
|
|
`/images/gr\teen-1x1.png?img= `,
|
|
];
|
|
should_load.forEach(url => async_test(t => {
|
|
fetch(url)
|
|
.then(t.step_func_done(r => {
|
|
assert_equals(r.status, 200);
|
|
}))
|
|
.catch(t.unreached_func("Fetch should succeed."));
|
|
}, "Fetch: " + readableURL(url)));
|
|
|
|
var should_block = [
|
|
`/images/gre\nen-1x1.png?img=<`,
|
|
`/images/gre\ren-1x1.png?img=<`,
|
|
`/images/gre\ten-1x1.png?img=<`,
|
|
`/images/green-1x1.png?<\n=block`,
|
|
`/images/green-1x1.png?<\r=block`,
|
|
`/images/green-1x1.png?<\t=block`,
|
|
];
|
|
should_block.forEach(url => async_test(t => {
|
|
fetch(url)
|
|
.then(t.unreached_func("Fetch should fail."))
|
|
.catch(t.step_func_done());
|
|
}, "Fetch: " + readableURL(url)));
|
|
|
|
|
|
// For each of the following tests, we'll inject a frame containing the HTML we'd like to poke at
|
|
// as a `srcdoc` attribute. Because we're injecting markup via `srcdoc`, we need to entity-escape
|
|
// the content we'd like to treat as "raw" (e.g. `\n` => ` `, `<` => `<`), and
|
|
// double-escape the "escaped" content.
|
|
var rawBrace = "<";
|
|
var escapedBrace = "&lt;";
|
|
var rawNewline = " ";
|
|
var escapedNewline = "&#10;";
|
|
|
|
function appendFrameAndGetElement(test, frame) {
|
|
return new Promise((resolve, reject) => {
|
|
frame.onload = test.step_func(_ => {
|
|
frame.onload = null;
|
|
resolve(frame.contentDocument.querySelector('#dangling'));
|
|
});
|
|
document.body.appendChild(frame);
|
|
});
|
|
}
|
|
|
|
function assert_img_loaded(test, frame) {
|
|
appendFrameAndGetElement(test, frame)
|
|
.then(test.step_func_done(img => {
|
|
assert_equals(img.naturalHeight, 1, "Height");
|
|
frame.remove();
|
|
}));
|
|
}
|
|
|
|
function assert_img_not_loaded(test, frame) {
|
|
appendFrameAndGetElement(test, frame)
|
|
.then(test.step_func_done(img => {
|
|
assert_equals(img.naturalHeight, 0, "Height");
|
|
assert_equals(img.naturalWidth, 0, "Width");
|
|
}));
|
|
}
|
|
|
|
function createFrame(markup) {
|
|
var i = document.createElement('iframe');
|
|
i.srcdoc = `${markup}sekrit`;
|
|
return i;
|
|
}
|
|
|
|
// The following resources should not be blocked, as their URLs do not contain both a `\n` and `<`
|
|
// character in the body of the URL.
|
|
var should_load = [
|
|
// Brace alone doesn't block:
|
|
`<img id="dangling" src="/images/green-1x1.png?img=${rawBrace}b">`,
|
|
|
|
// Newline alone doesn't block:
|
|
`<img id="dangling" src="/images/green-1x1.png?img=${rawNewline}b">`,
|
|
|
|
// Entity-escaped characters don't trigger blocking:
|
|
`<img id="dangling" src="/images/green-1x1.png?img=${escapedNewline}b">`,
|
|
`<img id="dangling" src="/images/green-1x1.png?img=${escapedBrace}b">`,
|
|
`<img id="dangling" src="/images/green-1x1.png?img=${escapedNewline}b${escapedBrace}c">`,
|
|
|
|
// Leading and trailing whitespace is stripped:
|
|
`
|
|
<img id="dangling" src="
|
|
/images/green-1x1.png?img=
|
|
">
|
|
`,
|
|
`
|
|
<img id="dangling" src="
|
|
/images/green-1x1.png?img=${escapedBrace}
|
|
">
|
|
`,
|
|
`
|
|
<img id="dangling" src="
|
|
/images/green-1x1.png?img=${escapedNewline}
|
|
">
|
|
`,
|
|
];
|
|
|
|
should_load.forEach(markup => {
|
|
async_test(t => {
|
|
var i = createFrame(`${markup} <element attr="" another=''>`);
|
|
assert_img_loaded(t, i);
|
|
}, readableURL(markup));
|
|
});
|
|
|
|
// The following resources should be blocked, as their URLs contain both `\n` and `<` characters:
|
|
var should_block = [
|
|
`<img id="dangling" src="/images/green-1x1.png?img=${rawNewline}${rawBrace}b">`,
|
|
`<img id="dangling" src="/images/green-1x1.png?img=${rawBrace}${rawNewline}b">`,
|
|
`
|
|
<img id="dangling" src="/images/green-1x1.png?img=
|
|
${rawBrace}
|
|
${rawNewline}b
|
|
">
|
|
`,
|
|
];
|
|
|
|
should_block.forEach(markup => {
|
|
async_test(t => {
|
|
var i = createFrame(`${markup}`);
|
|
assert_img_not_loaded(t, i);
|
|
}, readableURL(markup));
|
|
});
|
|
</script>
|