Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 84 insertions, 0 deletions

diff --git a/testing/web-platform/tests/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html b/testing/web-platform/tests/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html
new file mode 100644
index 0000000000..6d490d55bc
--- /dev/null
+++ b/testing/web-platform/tests/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html
@@ -0,0 +1,84 @@
+<!DOCTYPE html>
+<!-- Test verifies CORB will block responses with types that do not
+  require confirmation sniffing.
+
+  We assume that:
+  1) it is unlikely that images, other media, scripts, etc. will be mislabelled
+     as the |protected_mime_types| below,
+  2) the |protected_mime_types| below are likely to contain sensitive,
+     credentialled data.
+-->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<div id=log></div>
+<script>
+setup({allow_uncaught_exception : true, single_test : true});
+
+function test(mime_type, is_blocking_expected) {
+  var action = is_blocking_expected ? "blocks" : "does not block";
+
+  async_test(function(t) {
+    var script = document.createElement("script")
+    var script_has_run_token = "script_has_run" + token();
+
+    // With and without CORB there should be no error, but without CORB the
+    // original script body will be preserved and |window.script_has_run| will
+    // be set.
+    window[script_has_run_token] = false;
+    script.onload = t.step_func_done(function(){
+      if (is_blocking_expected) {
+        assert_false(window[script_has_run_token]);
+      } else {
+        assert_true(window[script_has_run_token]);
+      }
+    });
+    addEventListener("error",function(e) {
+      t.step(function() {
+        assert_unreached("Unexpected error: " + e);
+        t.done();
+      })
+    });
+
+    // www1 is cross-origin, so the HTTP response is CORB-eligible.
+    var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";
+    body = `window['${script_has_run_token}'] = true;`
+    script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body);
+    document.body.appendChild(script)
+  }, "CORB " + action + " '" + mime_type + "'");
+}
+
+// Some mime types should be protected by CORB without any kind
+// of confirmation sniffing.
+protected_mime_types = [
+  "application/gzip",
+  "application/pdf",
+  "application/x-gzip",
+  "application/x-protobuf",
+  "application/zip",
+  "multipart/byteranges",
+  "multipart/signed",
+  "text/csv",
+  "text/event-stream",
+]
+protected_mime_types.forEach(function(type) {
+    test(type, true /* is_blocking_expected */);
+});
+
+// Other mime types.
+other_mime_types = [
+  // These content types are legitimately allowed in 'no-cors' fetches.
+  "application/javascript",
+
+  // Confirmation sniffing will fail and prevent CORB from blocking the
+  // response.
+  "text/html",
+
+  // Unrecognized content types.
+  "application/blah"
+]
+other_mime_types.forEach(function(type) {
+    test(type, false /* is_blocking_expected */);
+});
+</script>