diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /testing/web-platform/tests/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html')
-rw-r--r-- | testing/web-platform/tests/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/testing/web-platform/tests/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html b/testing/web-platform/tests/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html new file mode 100644 index 0000000000..6d490d55bc --- /dev/null +++ b/testing/web-platform/tests/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html @@ -0,0 +1,84 @@ +<!DOCTYPE html> +<!-- Test verifies CORB will block responses with types that do not + require confirmation sniffing. + + We assume that: + 1) it is unlikely that images, other media, scripts, etc. will be mislabelled + as the |protected_mime_types| below, + 2) the |protected_mime_types| below are likely to contain sensitive, + credentialled data. +--> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/common/utils.js"></script> +<div id=log></div> +<script> +setup({allow_uncaught_exception : true, single_test : true}); + +function test(mime_type, is_blocking_expected) { + var action = is_blocking_expected ? "blocks" : "does not block"; + + async_test(function(t) { + var script = document.createElement("script") + var script_has_run_token = "script_has_run" + token(); + + // With and without CORB there should be no error, but without CORB the + // original script body will be preserved and |window.script_has_run| will + // be set. + window[script_has_run_token] = false; + script.onload = t.step_func_done(function(){ + if (is_blocking_expected) { + assert_false(window[script_has_run_token]); + } else { + assert_true(window[script_has_run_token]); + } + }); + addEventListener("error",function(e) { + t.step(function() { + assert_unreached("Unexpected error: " + e); + t.done(); + }) + }); + + // www1 is cross-origin, so the HTTP response is CORB-eligible. + var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py"; + body = `window['${script_has_run_token}'] = true;` + script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body); + document.body.appendChild(script) + }, "CORB " + action + " '" + mime_type + "'"); +} + +// Some mime types should be protected by CORB without any kind +// of confirmation sniffing. +protected_mime_types = [ + "application/gzip", + "application/pdf", + "application/x-gzip", + "application/x-protobuf", + "application/zip", + "multipart/byteranges", + "multipart/signed", + "text/csv", + "text/event-stream", +] +protected_mime_types.forEach(function(type) { + test(type, true /* is_blocking_expected */); +}); + +// Other mime types. +other_mime_types = [ + // These content types are legitimately allowed in 'no-cors' fetches. + "application/javascript", + + // Confirmation sniffing will fail and prevent CORB from blocking the + // response. + "text/html", + + // Unrecognized content types. + "application/blah" +] +other_mime_types.forEach(function(type) { + test(type, false /* is_blocking_expected */); +}); +</script> |