diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /testing/web-platform/tests/fetch/orb | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/fetch/orb')
34 files changed, 589 insertions, 0 deletions
diff --git a/testing/web-platform/tests/fetch/orb/resources/data.json b/testing/web-platform/tests/fetch/orb/resources/data.json new file mode 100644 index 0000000000..f2a886f39d --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/data.json @@ -0,0 +1,3 @@ +{ + "hello": "world" +} diff --git a/testing/web-platform/tests/fetch/orb/resources/data_non_ascii.json b/testing/web-platform/tests/fetch/orb/resources/data_non_ascii.json new file mode 100644 index 0000000000..64566c50c1 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/data_non_ascii.json @@ -0,0 +1 @@ +["ä½ å¥½"] diff --git a/testing/web-platform/tests/fetch/orb/resources/empty.json b/testing/web-platform/tests/fetch/orb/resources/empty.json new file mode 100644 index 0000000000..0967ef424b --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/empty.json @@ -0,0 +1 @@ +{} diff --git a/testing/web-platform/tests/fetch/orb/resources/font.ttf b/testing/web-platform/tests/fetch/orb/resources/font.ttf Binary files differnew file mode 100644 index 0000000000..9023592ef5 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/font.ttf diff --git a/testing/web-platform/tests/fetch/orb/resources/image.png b/testing/web-platform/tests/fetch/orb/resources/image.png Binary files differnew file mode 100644 index 0000000000..820f8cace2 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/image.png diff --git a/testing/web-platform/tests/fetch/orb/resources/js-unlabeled-utf16-without-bom.json b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled-utf16-without-bom.json Binary files differnew file mode 100644 index 0000000000..157a8f5430 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled-utf16-without-bom.json diff --git a/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js new file mode 100644 index 0000000000..a880a5bc72 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js @@ -0,0 +1 @@ +window.has_executed_script = true; diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png Binary files differnew file mode 100644 index 0000000000..820f8cace2 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers new file mode 100644 index 0000000000..156209f9c8 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers @@ -0,0 +1 @@ +Content-Type: text/html diff --git a/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png Binary files differnew file mode 100644 index 0000000000..820f8cace2 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png diff --git a/testing/web-platform/tests/fetch/orb/resources/script-asm-js-invalid.js b/testing/web-platform/tests/fetch/orb/resources/script-asm-js-invalid.js new file mode 100644 index 0000000000..8d1bbd6abc --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/script-asm-js-invalid.js @@ -0,0 +1,4 @@ +function f() { + "use asm"; + return; +} diff --git a/testing/web-platform/tests/fetch/orb/resources/script-asm-js-valid.js b/testing/web-platform/tests/fetch/orb/resources/script-asm-js-valid.js new file mode 100644 index 0000000000..79b375fe05 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/script-asm-js-valid.js @@ -0,0 +1,4 @@ +function f() { + "use asm"; + return {}; +} diff --git a/testing/web-platform/tests/fetch/orb/resources/script-iso-8559-1.js b/testing/web-platform/tests/fetch/orb/resources/script-iso-8559-1.js new file mode 100644 index 0000000000..3bccb6af93 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/script-iso-8559-1.js @@ -0,0 +1,4 @@ +"use strict"; +function fn() { + return "§A¦n"; +} diff --git a/testing/web-platform/tests/fetch/orb/resources/script-utf16-bom.js b/testing/web-platform/tests/fetch/orb/resources/script-utf16-bom.js Binary files differnew file mode 100644 index 0000000000..16b76e9d5e --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/script-utf16-bom.js diff --git a/testing/web-platform/tests/fetch/orb/resources/script-utf16-without-bom.js b/testing/web-platform/tests/fetch/orb/resources/script-utf16-without-bom.js Binary files differnew file mode 100644 index 0000000000..d983086b03 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/script-utf16-without-bom.js diff --git a/testing/web-platform/tests/fetch/orb/resources/script.js b/testing/web-platform/tests/fetch/orb/resources/script.js new file mode 100644 index 0000000000..19675d25d8 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/script.js @@ -0,0 +1,4 @@ +"use strict"; +function fn() { + return 42; +} diff --git a/testing/web-platform/tests/fetch/orb/resources/sound.mp3 b/testing/web-platform/tests/fetch/orb/resources/sound.mp3 Binary files differnew file mode 100644 index 0000000000..a15d1de328 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/sound.mp3 diff --git a/testing/web-platform/tests/fetch/orb/resources/text.txt b/testing/web-platform/tests/fetch/orb/resources/text.txt new file mode 100644 index 0000000000..270c611ee7 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/text.txt @@ -0,0 +1 @@ +hello, world! diff --git a/testing/web-platform/tests/fetch/orb/resources/utils.js b/testing/web-platform/tests/fetch/orb/resources/utils.js new file mode 100644 index 0000000000..45fbc4cb38 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/utils.js @@ -0,0 +1,101 @@ +function header(name, value) { + return `header(${name},${value})`; +} + +function contentType(type) { + return header("Content-Type", type); +} + +function contentTypeOptions(type) { + return header("X-Content-Type-Options", type); +} + +function testFetchNoCors(_t, path, { headers }) { + return fetch(path, { + ...(headers ? { headers } : {}), + mode: "no-cors", + }); +} + +function testElementInitiator(t, path, name) { + let element = document.createElement(name); + element.src = path; + t.add_cleanup(() => element.remove()); + return new Promise((resolve, reject) => { + element.onerror = e => reject(new TypeError()); + element.onload = resolve; + + document.body.appendChild(element); + }); +} + +function testImageInitiator(t, path) { + return testElementInitiator(t, path, "img"); +} + +function testAudioInitiator(t, path) { + return testElementInitiator(t, path, "audio"); +} + +function testVideoInitiator(t, path) { + return testElementInitiator(t, path, "video"); +} + +function testScriptInitiator(t, path) { + return testElementInitiator(t, path, "script"); +} + +function runTest(t, test, file, options, ...pipe) { + const path = `${file}${pipe.length ? `?pipe=${pipe.join("|")}` : ""}`; + return test(t, path, options) +} + +function testRunAll(file, testCallback, adapter, options) { + let testcase = function (test, message, skip) { + return {test, message, skip}; + }; + + const name = "..."; + [ testcase(testFetchNoCors, `fetch(${name}, {mode: "no-cors"})`, false || options.skip.includes("fetch")), + testcase(testImageInitiator, `<img src=${name}>`, options.onlyFetch || options.skip.includes("image")), + testcase(testAudioInitiator, `<audio src=${name}>`, options.onlyFetch || options.skip.includes("audio")), + testcase(testVideoInitiator, `<video src=${name}>`, options.onlyFetch || options.skip.includes("video")), + testcase(testScriptInitiator, `<script src=${name}>`, options.onlyFetch || options.skip.includes("script")), + ].filter(({skip}) => !skip) + .forEach(({test, message}) => { + testCallback((t, ...args) => adapter(t, runTest(t, test, file, options, ...args), message), header => `${header}: ${message}`); + }); +} + +function expected_block(file, testCallback, options = {}) { + let defaultOptions = { + onlyFetch: !self.GLOBAL.isWindow(), + skip: [] + }; + testRunAll(file, testCallback, (t, promise, message) => promise_rejects_js(t, TypeError, promise, message), { ...defaultOptions, ...options }); +} + +function expected_allow(file, testCallback, options = {}) { + let defaultOptions = { + onlyFetch: !self.GLOBAL.isWindow(), + skip: [], + headers: null + }; + testRunAll(file, testCallback, (_t, promise, _message) => promise, { ...defaultOptions, ...options }); +} + +function expected_allow_fetch(file, testCallback, options = {}) { + let defaultOptions = { + skip: [], + headers: null, + }; + testRunAll(file, testCallback, (_t, promise, _message) => promise, { ...defaultOptions, ...options, onlyFetch: true }); +} + +function expected_block_fetch(file, testCallback, options = {}) { + let defaultOptions = { + skip: [], + headers: null, + }; + testRunAll(file, testCallback, (t, promise, message) => promise_rejects_js(t, TypeError, promise, message), { ...defaultOptions, ...options, onlyFetch: true }); +} diff --git a/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html new file mode 100644 index 0000000000..38e70c69ad --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html @@ -0,0 +1,20 @@ +<!-- Test verifies that compressed images should not be blocked +--> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> +async_test(function(t) { + let url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = url + "/fetch/orb/resources/png-unlabeled.png?pipe=gzip" + + const img = document.createElement("img"); + img.src = url; + img.onerror = t.unreached_func("Unexpected error event") + img.onload = t.step_func_done(function () { + assert_true(true); + }) + document.body.appendChild(img) +}, "ORB shouldn't block compressed images"); +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js new file mode 100644 index 0000000000..c965aea4f8 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js @@ -0,0 +1,20 @@ +// META: script=/fetch/orb/resources/utils.js + +const url = + "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/image.png"; + +expected_allow_fetch( + url, + (orb_test, message) => + promise_test( + t => orb_test(t, header("Content-Range", "bytes 0-99/1010"), "slice(null,100)", "status(206)"), + message("ORB shouldn't block opaque range of image/png starting at zero")), + { headers: new Headers([["Range", "bytes=0-99"]]) }); + +expected_block_fetch( + url, + (orb_test, message) => + promise_test( + t => orb_test(t, header("Content-Range", "bytes 10-99/1010"), "slice(10,100)", "status(206)"), + message("ORB should block opaque range of image/png not starting at zero, that isn't subsequent")), + { headers: new Headers([["Range", "bytes 10-99"]]) }); diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html new file mode 100644 index 0000000000..5dc6c5d63a --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html @@ -0,0 +1,126 @@ +<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their + MIME type is covered by ORB and 2) allowed otherwise. + + This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html, + except that it focuses on MIME types relevant to ORB. +--> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + var passes = [ + // ORB safelisted MIME-types - i.e. ones covered by: + // - https://github.com/annevk/orb + + "text/css", + "image/svg+xml", + + // JavaScript MIME types + "application/ecmascript", + "application/javascript", + "application/x-ecmascript", + "application/x-javascript", + "text/ecmascript", + "text/javascript", + "text/javascript1.0", + "text/javascript1.1", + "text/javascript1.2", + "text/javascript1.3", + "text/javascript1.4", + "text/javascript1.5", + "text/jscript", + "text/livescript", + "text/x-ecmascript", + "text/x-javascript", + ] + + var fails = [ + // ORB blocklisted MIME-types - i.e. ones covered by: + // - https://github.com/annevk/orb + + "text/html", + + // JSON MIME type + "application/json", + "text/json", + "application/ld+json", + + // XML MIME type + "text/xml", + "application/xml", + "application/xhtml+xml", + + "application/dash+xml", + "application/gzip", + "application/msexcel", + "application/mspowerpoint", + "application/msword", + "application/msword-template", + "application/pdf", + "application/vnd.apple.mpegurl", + "application/vnd.ces-quickpoint", + "application/vnd.ces-quicksheet", + "application/vnd.ces-quickword", + "application/vnd.ms-excel", + "application/vnd.ms-excel.sheet.macroenabled.12", + "application/vnd.ms-powerpoint", + "application/vnd.ms-powerpoint.presentation.macroenabled.12", + "application/vnd.ms-word", + "application/vnd.ms-word.document.12", + "application/vnd.ms-word.document.macroenabled.12", + "application/vnd.msword", + "application/vnd.openxmlformats-officedocument.presentationml.presentation", + "application/vnd.openxmlformats-officedocument.presentationml.template", + "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "application/vnd.openxmlformats-officedocument.spreadsheetml.template", + "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "application/vnd.openxmlformats-officedocument.wordprocessingml.template", + "application/vnd.presentation-openxml", + "application/vnd.presentation-openxmlm", + "application/vnd.spreadsheet-openxml", + "application/vnd.wordprocessing-openxml", + "application/x-gzip", + "application/x-protobuf", + "application/x-protobuffer", + "application/zip", + "audio/mpegurl", + "multipart/byteranges", + "multipart/signed", + "text/event-stream", + "text/csv", + "text/vtt", +] + + const get_url = (mime) => { + // www1 is cross-origin, so the HTTP response is ORB-eligible --> + url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = url + "/fetch/nosniff/resources/image.py" + if (mime != null) { + url += "?type=" + encodeURIComponent(mime) + } + return url + } + + passes.forEach(function (mime) { + async_test(function (t) { + var img = document.createElement("img") + img.onerror = t.unreached_func("Unexpected error event") + img.onload = t.step_func_done(function () { + assert_equals(img.width, 96) + }) + img.src = get_url(mime) + document.body.appendChild(img) + }, "ORB should allow the response if Content-Type is: '" + mime + "'. ") + }) + + fails.forEach(function (mime) { + async_test(function (t) { + var img = document.createElement("img") + img.onerror = t.step_func_done() + img.onload = t.unreached_func("Unexpected load event") + img.src = get_url(mime) + document.body.appendChild(img) + }, "ORB should block the response if Content-Type is: '" + mime + "'. ") + }) +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html new file mode 100644 index 0000000000..66462fb5e3 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html @@ -0,0 +1,5 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<!-- Same-origin, so the HTTP response is not ORB-eligible. --> +<img src="../resources/png-mislabeled-as-html.png"> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html new file mode 100644 index 0000000000..aa03f4db63 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html @@ -0,0 +1,7 @@ +<!DOCTYPE html> +<!-- Test verifies that ORB allows an mislabeled cross-origin image after sniffing. --> +<meta charset="utf-8"> +<!-- Reference page uses same-origin resources, which are not ORB-eligible. --> +<link rel="match" href="img-png-mislabeled-as-html.sub-ref.html"> +<!-- www1 is cross-origin, so the HTTP response is ORB-eligible --> +<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-mislabeled-as-html.png"> diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html new file mode 100644 index 0000000000..2d5e3bb8b5 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html @@ -0,0 +1,5 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<!-- Same-origin, so the HTTP response is not ORB-eligible. --> +<img src="../resources/png-unlabeled.png"> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html new file mode 100644 index 0000000000..77415f6af1 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html @@ -0,0 +1,7 @@ +<!DOCTYPE html> +<!-- Test verifies that ORB allows an unlabeled cross-origin image after sniffing. --> +<meta charset="utf-8"> +<!-- Reference page uses same-origin resources, which are not ORB-eligible. --> +<link rel="match" href="img-png-unlabeled.sub-ref.html"> +<!-- www1 is cross-origin, so the HTTP response is ORB-eligible --> +<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-unlabeled.png"> diff --git a/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js new file mode 100644 index 0000000000..cc6d208fd3 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js @@ -0,0 +1,99 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +expected_block( + `${path}/font.ttf`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("font/ttf")), + message("ORB should block opaque font/ttf"))); + +expected_block( + `${path}/text.txt`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("text/plain")), + message("ORB should block opaque text/plain"))); + +expected_block( + `${path}/data.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB should block opaque application/json (non-empty)"))); + +expected_block( + `${path}/empty.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB should block opaque application/json (empty)"))); + +expected_block( + `${path}/data_non_ascii.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB should block opaque application/json which contains non ascii characters"))); + +expected_allow( + `${path}/image.png`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("image/png")), + message("ORB shouldn't block opaque image/png")), + { skip: ["audio", "video", "script"] }); + +expected_allow( + `${path}/script.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("text/javascript")), + message("ORB shouldn't block opaque text/javascript")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly decode the content with BOM. +expected_allow( + `${path}/script-utf16-bom.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB shouldn't block opaque text/javascript (utf16 encoded with BOM)")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly decode the content with the http charset hint. +expected_allow( + `${path}/script-utf16-without-bom.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json; charset=utf-16")), + message("ORB shouldn't block opaque text/javascript (utf16 encoded without BOM but charset is provided in content-type)")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly decode the content for iso-8559-1 (fallback decoder in Firefox). +expected_allow( + `${path}/script-iso-8559-1.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB shouldn't block opaque text/javascript (iso-8559-1 encoded)")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly parse asm.js. +expected_allow( + `${path}/script-asm-js-valid.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB shouldn't block text/javascript with valid asm.js")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly parse invalid asm.js with valid JS syntax. +expected_allow( + `${path}/script-asm-js-invalid.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB shouldn't block text/javascript with invalid asm.js")), + { skip: ["image", "audio", "video"] }); diff --git a/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js new file mode 100644 index 0000000000..d1e01fd87b --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js @@ -0,0 +1,32 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +expected_block( + `${path}/text.txt`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("text/plain"), contentTypeOptions("nosniff")), + message("ORB should block opaque text/plain with nosniff"))); + +expected_block( + `${path}/data.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json"), contentTypeOptions("nosniff")), + message("ORB should block opaque-response-blocklisted MIME type with nosniff"))); + +expected_block( + `${path}/data.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentTypeOptions("nosniff")), + message("ORB should block opaque response with empty Content-Type and nosniff"))); + +expected_allow( + `${path}/image.png`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType(""), contentType("text/javascript")), + message("ORB shouldn't block opaque image with empty Content-Type and nosniff")), + { skip: ["audio", "video", "script"] }); diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html new file mode 100644 index 0000000000..fe85440798 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<!-- Test verifies that gziped script which parses as Javascript (not JSON) without Content-Type will execute with ORB. --> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<div id=log></div> + +<script> +setup({ single_test: true }); +window.has_executed_script = false; +</script> + +<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> +<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js?pipe=gzip|header(Content-Type,)"> +</script> + +<script> +// Verify what observable effects the <script> tag above had. +// Assertion should hold with and without ORB: +assert_true(window.has_executed_script, + 'The cross-origin script should execute'); +done(); +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html new file mode 100644 index 0000000000..4987f1307e --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<!-- Test verifies that script which parses as Javascript (not JSON) without Content-Type will execute with ORB. --> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<div id=log></div> + +<script> +setup({ single_test: true }); +window.has_executed_script = false; +</script> + +<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> +<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js"> +</script> + +<script> +// Verify what observable effects the <script> tag above had. +// Assertion should hold with and without ORB: +assert_true(window.has_executed_script, + 'The cross-origin script should execute'); +done(); +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html new file mode 100644 index 0000000000..b15f976a66 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<!-- Test verifies that utf-16 encoded script (without BOM) which parses as Javascript (not JSON) will execute with ORB. --> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<div id=log></div> + +<script> +setup({ single_test: true }); +window.has_executed_script = false; +</script> + +<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> +<script charset="utf-16" src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled-utf16-without-bom.json"> +</script> + +<script> +// Verify what observable effects the <script> tag above had. +// Assertion should hold with and without ORB: +assert_true(window.has_executed_script, + 'The cross-origin script should execute'); +done(); +</script> diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js new file mode 100644 index 0000000000..e281ca6f53 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js @@ -0,0 +1,16 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +expected_block( + `${path}/data.json`, + (orb_test, message) => promise_test( + t => orb_test(t, contentType("application/json"), "status(206)"), + message("ORB should block opaque-response-blocklisted MIME type with status 206"))); + +expected_block( + `${path}/data.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json"), "status(302)"), + message("ORB should block opaque response with non-ok status"))); diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.html b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html new file mode 100644 index 0000000000..a62bdeb35e --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html @@ -0,0 +1,17 @@ +'use strict'; + +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> +async_test(function(t) { + let url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = `${url}/fetch/orb/resources/sound.mp3?pipe=status(301)|header(Content-Type,)` + + const video = document.createElement("video"); + video.src = url; + video.onerror = t.step_func_done(); + video.onload = t.unreached_func("Unexpected error event"); + document.body.appendChild(video); +}, "ORB should block initial media requests with status not 200 or 206"); +</script> diff --git a/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js new file mode 100644 index 0000000000..268ebb0258 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js @@ -0,0 +1,40 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +expected_allow_fetch( + `${path}/font.ttf`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (font/ttf)"))); + +expected_allow_fetch( + `${path}/text.ttf`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (text/plain)"))); + +expected_allow_fetch( + `${path}/data.json`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (application/json)"))); + +expected_allow( + `${path}/image.png`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (image/png)")), + { skip: ["audio", "video", "script"] }); + +expected_allow( + `${path}/script.js`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (text/javascript)")), + { skip: ["image", "audio", "video"] }); |