Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

34 files changed, 589 insertions, 0 deletions

diff --git a/testing/web-platform/tests/fetch/orb/resources/data.json b/testing/web-platform/tests/fetch/orb/resources/data.json
new file mode 100644
index 0000000000..f2a886f39d
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/data.json
@@ -0,0 +1,3 @@
+{
+  "hello": "world"
+}
diff --git a/testing/web-platform/tests/fetch/orb/resources/data_non_ascii.json b/testing/web-platform/tests/fetch/orb/resources/data_non_ascii.json
new file mode 100644
index 0000000000..64566c50c1
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/data_non_ascii.json
@@ -0,0 +1 @@
+["你好"]
diff --git a/testing/web-platform/tests/fetch/orb/resources/empty.json b/testing/web-platform/tests/fetch/orb/resources/empty.json
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/empty.json
@@ -0,0 +1 @@
+{}
diff --git a/testing/web-platform/tests/fetch/orb/resources/font.ttf b/testing/web-platform/tests/fetch/orb/resources/font.ttf
new file mode 100644
index 0000000000..9023592ef5
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/font.ttf
diff --git a/testing/web-platform/tests/fetch/orb/resources/image.png b/testing/web-platform/tests/fetch/orb/resources/image.png
new file mode 100644
index 0000000000..820f8cace2
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/image.png
diff --git a/testing/web-platform/tests/fetch/orb/resources/js-unlabeled-utf16-without-bom.json b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled-utf16-without-bom.json
new file mode 100644
index 0000000000..157a8f5430
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled-utf16-without-bom.json
diff --git a/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js
new file mode 100644
index 0000000000..a880a5bc72
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js
@@ -0,0 +1 @@
+window.has_executed_script = true;
diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png
new file mode 100644
index 0000000000..820f8cace2
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png
diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers
new file mode 100644
index 0000000000..156209f9c8
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers
@@ -0,0 +1 @@
+Content-Type: text/html
diff --git a/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png
new file mode 100644
index 0000000000..820f8cace2
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png
diff --git a/testing/web-platform/tests/fetch/orb/resources/script-asm-js-invalid.js b/testing/web-platform/tests/fetch/orb/resources/script-asm-js-invalid.js
new file mode 100644
index 0000000000..8d1bbd6abc
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/script-asm-js-invalid.js
@@ -0,0 +1,4 @@
+function f() {
+  "use asm";
+  return;
+}
diff --git a/testing/web-platform/tests/fetch/orb/resources/script-asm-js-valid.js b/testing/web-platform/tests/fetch/orb/resources/script-asm-js-valid.js
new file mode 100644
index 0000000000..79b375fe05
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/script-asm-js-valid.js
@@ -0,0 +1,4 @@
+function f() {
+  "use asm";
+  return {};
+}
diff --git a/testing/web-platform/tests/fetch/orb/resources/script-iso-8559-1.js b/testing/web-platform/tests/fetch/orb/resources/script-iso-8559-1.js
new file mode 100644
index 0000000000..3bccb6af93
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/script-iso-8559-1.js
@@ -0,0 +1,4 @@
+"use strict";
+function fn() {
+  return "§A¦n";
+}
diff --git a/testing/web-platform/tests/fetch/orb/resources/script-utf16-bom.js b/testing/web-platform/tests/fetch/orb/resources/script-utf16-bom.js
new file mode 100644
index 0000000000..16b76e9d5e
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/script-utf16-bom.js
diff --git a/testing/web-platform/tests/fetch/orb/resources/script-utf16-without-bom.js b/testing/web-platform/tests/fetch/orb/resources/script-utf16-without-bom.js
new file mode 100644
index 0000000000..d983086b03
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/script-utf16-without-bom.js
diff --git a/testing/web-platform/tests/fetch/orb/resources/script.js b/testing/web-platform/tests/fetch/orb/resources/script.js
new file mode 100644
index 0000000000..19675d25d8
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/script.js
@@ -0,0 +1,4 @@
+"use strict";
+function fn() {
+  return 42;
+}
diff --git a/testing/web-platform/tests/fetch/orb/resources/sound.mp3 b/testing/web-platform/tests/fetch/orb/resources/sound.mp3
new file mode 100644
index 0000000000..a15d1de328
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/sound.mp3
diff --git a/testing/web-platform/tests/fetch/orb/resources/text.txt b/testing/web-platform/tests/fetch/orb/resources/text.txt
new file mode 100644
index 0000000000..270c611ee7
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/text.txt
@@ -0,0 +1 @@
+hello, world!
diff --git a/testing/web-platform/tests/fetch/orb/resources/utils.js b/testing/web-platform/tests/fetch/orb/resources/utils.js
new file mode 100644
index 0000000000..45fbc4cb38
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/utils.js
@@ -0,0 +1,101 @@
+function header(name, value) {
+  return `header(${name},${value})`;
+}
+
+function contentType(type) {
+  return header("Content-Type", type);
+}
+
+function contentTypeOptions(type) {
+  return header("X-Content-Type-Options", type);
+}
+
+function testFetchNoCors(_t, path, { headers }) {
+  return fetch(path, {
+    ...(headers ? { headers } : {}),
+    mode: "no-cors",
+  });
+}
+
+function testElementInitiator(t, path, name) {
+  let element = document.createElement(name);
+  element.src = path;
+  t.add_cleanup(() => element.remove());
+  return new Promise((resolve, reject) => {
+    element.onerror = e => reject(new TypeError());
+    element.onload = resolve;
+
+    document.body.appendChild(element);
+  });
+}
+
+function testImageInitiator(t, path) {
+  return testElementInitiator(t, path, "img");
+}
+
+function testAudioInitiator(t, path) {
+  return testElementInitiator(t, path, "audio");
+}
+
+function testVideoInitiator(t, path) {
+  return testElementInitiator(t, path, "video");
+}
+
+function testScriptInitiator(t, path) {
+  return testElementInitiator(t, path, "script");
+}
+
+function runTest(t, test, file, options, ...pipe) {
+  const path = `${file}${pipe.length ? `?pipe=${pipe.join("|")}` : ""}`;
+  return test(t, path, options)
+}
+
+function testRunAll(file, testCallback, adapter, options) {
+  let testcase = function (test, message, skip) {
+    return {test, message, skip};
+  };
+
+  const name = "...";
+  [ testcase(testFetchNoCors, `fetch(${name}, {mode: "no-cors"})`, false || options.skip.includes("fetch")),
+    testcase(testImageInitiator, `<img src=${name}>`,  options.onlyFetch || options.skip.includes("image")),
+    testcase(testAudioInitiator, `<audio src=${name}>`, options.onlyFetch || options.skip.includes("audio")),
+    testcase(testVideoInitiator, `<video src=${name}>`, options.onlyFetch || options.skip.includes("video")),
+    testcase(testScriptInitiator, `<script src=${name}>`, options.onlyFetch || options.skip.includes("script")),
+  ].filter(({skip}) => !skip)
+  .forEach(({test, message}) => {
+    testCallback((t, ...args) => adapter(t, runTest(t, test, file, options, ...args), message), header => `${header}: ${message}`);
+  });
+}
+
+function expected_block(file, testCallback, options = {}) {
+  let defaultOptions = {
+    onlyFetch: !self.GLOBAL.isWindow(),
+    skip: []
+  };
+  testRunAll(file, testCallback, (t, promise, message) => promise_rejects_js(t, TypeError, promise, message), { ...defaultOptions, ...options });
+}
+
+function expected_allow(file, testCallback, options = {}) {
+  let defaultOptions = {
+    onlyFetch: !self.GLOBAL.isWindow(),
+    skip: [],
+    headers: null
+  };
+  testRunAll(file, testCallback, (_t, promise, _message) => promise, { ...defaultOptions, ...options });
+}
+
+function expected_allow_fetch(file, testCallback, options = {}) {
+  let defaultOptions = {
+    skip: [],
+    headers: null,
+  };
+  testRunAll(file, testCallback, (_t, promise, _message) => promise, { ...defaultOptions, ...options, onlyFetch: true });
+}
+
+function expected_block_fetch(file, testCallback, options = {}) {
+  let defaultOptions = {
+    skip: [],
+    headers: null,
+  };
+  testRunAll(file, testCallback, (t, promise, message) => promise_rejects_js(t, TypeError, promise, message), { ...defaultOptions, ...options, onlyFetch: true });
+}
diff --git a/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html
new file mode 100644
index 0000000000..38e70c69ad
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html
@@ -0,0 +1,20 @@
+<!-- Test verifies that compressed images should not be blocked
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+async_test(function(t) {
+  let url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+  url = url + "/fetch/orb/resources/png-unlabeled.png?pipe=gzip"
+
+  const img = document.createElement("img");
+  img.src = url;
+  img.onerror = t.unreached_func("Unexpected error event")
+  img.onload = t.step_func_done(function () {
+    assert_true(true);
+  })
+  document.body.appendChild(img)
+}, "ORB shouldn't block compressed images");
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js
new file mode 100644
index 0000000000..c965aea4f8
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js
@@ -0,0 +1,20 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const url =
+  "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/image.png";
+
+expected_allow_fetch(
+  url,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, header("Content-Range", "bytes 0-99/1010"), "slice(null,100)", "status(206)"),
+      message("ORB shouldn't block opaque range of image/png starting at zero")),
+  { headers: new Headers([["Range", "bytes=0-99"]]) });
+
+expected_block_fetch(
+  url,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, header("Content-Range", "bytes 10-99/1010"), "slice(10,100)", "status(206)"),
+      message("ORB should block opaque range of image/png not starting at zero, that isn't subsequent")),
+  { headers: new Headers([["Range", "bytes 10-99"]]) });
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
new file mode 100644
index 0000000000..5dc6c5d63a
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
@@ -0,0 +1,126 @@
+<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their
+  MIME type is covered by ORB and 2) allowed otherwise.
+
+  This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html,
+  except that it focuses on MIME types relevant to ORB.
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+  var passes = [
+    // ORB safelisted MIME-types - i.e. ones covered by:
+    // - https://github.com/annevk/orb
+
+    "text/css",
+    "image/svg+xml",
+
+    // JavaScript MIME types
+    "application/ecmascript",
+    "application/javascript",
+    "application/x-ecmascript",
+    "application/x-javascript",
+    "text/ecmascript",
+    "text/javascript",
+    "text/javascript1.0",
+    "text/javascript1.1",
+    "text/javascript1.2",
+    "text/javascript1.3",
+    "text/javascript1.4",
+    "text/javascript1.5",
+    "text/jscript",
+    "text/livescript",
+    "text/x-ecmascript",
+    "text/x-javascript",
+  ]
+
+  var fails = [
+    // ORB blocklisted MIME-types - i.e. ones covered by:
+    // - https://github.com/annevk/orb
+
+    "text/html",
+
+    // JSON MIME type
+    "application/json",
+    "text/json",
+    "application/ld+json",
+
+    // XML MIME type
+    "text/xml",
+    "application/xml",
+    "application/xhtml+xml",
+
+    "application/dash+xml",
+    "application/gzip",
+    "application/msexcel",
+    "application/mspowerpoint",
+    "application/msword",
+    "application/msword-template",
+    "application/pdf",
+    "application/vnd.apple.mpegurl",
+    "application/vnd.ces-quickpoint",
+    "application/vnd.ces-quicksheet",
+    "application/vnd.ces-quickword",
+    "application/vnd.ms-excel",
+    "application/vnd.ms-excel.sheet.macroenabled.12",
+    "application/vnd.ms-powerpoint",
+    "application/vnd.ms-powerpoint.presentation.macroenabled.12",
+    "application/vnd.ms-word",
+    "application/vnd.ms-word.document.12",
+    "application/vnd.ms-word.document.macroenabled.12",
+    "application/vnd.msword",
+    "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+    "application/vnd.openxmlformats-officedocument.presentationml.template",
+    "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+    "application/vnd.openxmlformats-officedocument.spreadsheetml.template",
+    "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+    "application/vnd.openxmlformats-officedocument.wordprocessingml.template",
+    "application/vnd.presentation-openxml",
+    "application/vnd.presentation-openxmlm",
+    "application/vnd.spreadsheet-openxml",
+    "application/vnd.wordprocessing-openxml",
+    "application/x-gzip",
+    "application/x-protobuf",
+    "application/x-protobuffer",
+    "application/zip",
+    "audio/mpegurl",
+    "multipart/byteranges",
+    "multipart/signed",
+    "text/event-stream",
+    "text/csv",
+    "text/vtt",
+]
+
+  const get_url = (mime) => {
+    // www1 is cross-origin, so the HTTP response is ORB-eligible -->
+    url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+    url = url + "/fetch/nosniff/resources/image.py"
+    if (mime != null) {
+      url += "?type=" + encodeURIComponent(mime)
+    }
+    return url
+  }
+
+  passes.forEach(function (mime) {
+    async_test(function (t) {
+      var img = document.createElement("img")
+      img.onerror = t.unreached_func("Unexpected error event")
+      img.onload = t.step_func_done(function () {
+        assert_equals(img.width, 96)
+      })
+      img.src = get_url(mime)
+      document.body.appendChild(img)
+    }, "ORB should allow the response if Content-Type is: '" + mime + "'.  ")
+  })
+
+  fails.forEach(function (mime) {
+    async_test(function (t) {
+      var img = document.createElement("img")
+      img.onerror = t.step_func_done()
+      img.onload = t.unreached_func("Unexpected load event")
+      img.src = get_url(mime)
+      document.body.appendChild(img)
+    }, "ORB should block the response if Content-Type is: '" + mime + "'.  ")
+  })
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html
new file mode 100644
index 0000000000..66462fb5e3
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<!-- Same-origin, so the HTTP response is not ORB-eligible. -->
+<img src="../resources/png-mislabeled-as-html.png">
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html
new file mode 100644
index 0000000000..aa03f4db63
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<!-- Test verifies that ORB allows an mislabeled cross-origin image after sniffing. -->
+<meta charset="utf-8">
+<!-- Reference page uses same-origin resources, which are not ORB-eligible. -->
+<link rel="match" href="img-png-mislabeled-as-html.sub-ref.html">
+<!-- www1 is cross-origin, so the HTTP response is ORB-eligible -->
+<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-mislabeled-as-html.png">
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html
new file mode 100644
index 0000000000..2d5e3bb8b5
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<!-- Same-origin, so the HTTP response is not ORB-eligible. -->
+<img src="../resources/png-unlabeled.png">
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html
new file mode 100644
index 0000000000..77415f6af1
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<!-- Test verifies that ORB allows an unlabeled cross-origin image after sniffing. -->
+<meta charset="utf-8">
+<!-- Reference page uses same-origin resources, which are not ORB-eligible. -->
+<link rel="match" href="img-png-unlabeled.sub-ref.html">
+<!-- www1 is cross-origin, so the HTTP response is ORB-eligible -->
+<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-unlabeled.png">
diff --git a/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js
new file mode 100644
index 0000000000..cc6d208fd3
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js
@@ -0,0 +1,99 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+expected_block(
+  `${path}/font.ttf`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("font/ttf")),
+      message("ORB should block opaque font/ttf")));
+
+expected_block(
+  `${path}/text.txt`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("text/plain")),
+      message("ORB should block opaque text/plain")));
+
+expected_block(
+  `${path}/data.json`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json")),
+      message("ORB should block opaque application/json (non-empty)")));
+
+expected_block(
+  `${path}/empty.json`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json")),
+      message("ORB should block opaque application/json (empty)")));
+
+expected_block(
+  `${path}/data_non_ascii.json`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json")),
+      message("ORB should block opaque application/json which contains non ascii characters")));
+
+expected_allow(
+  `${path}/image.png`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("image/png")),
+      message("ORB shouldn't block opaque image/png")),
+  { skip: ["audio", "video", "script"] });
+
+expected_allow(
+  `${path}/script.js`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("text/javascript")),
+      message("ORB shouldn't block opaque text/javascript")),
+  { skip: ["image", "audio", "video"] });
+
+// Test javascript validation can correctly decode the content with BOM.
+expected_allow(
+  `${path}/script-utf16-bom.js`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json")),
+      message("ORB shouldn't block opaque text/javascript (utf16 encoded with BOM)")),
+  { skip: ["image", "audio", "video"] });
+
+// Test javascript validation can correctly decode the content with the http charset hint.
+expected_allow(
+  `${path}/script-utf16-without-bom.js`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json; charset=utf-16")),
+      message("ORB shouldn't block opaque text/javascript (utf16 encoded without BOM but charset is provided in content-type)")),
+  { skip: ["image", "audio", "video"] });
+
+// Test javascript validation can correctly decode the content for iso-8559-1 (fallback decoder in Firefox).
+expected_allow(
+  `${path}/script-iso-8559-1.js`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json")),
+      message("ORB shouldn't block opaque text/javascript (iso-8559-1 encoded)")),
+  { skip: ["image", "audio", "video"] });
+
+// Test javascript validation can correctly parse asm.js.
+expected_allow(
+  `${path}/script-asm-js-valid.js`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json")),
+      message("ORB shouldn't block text/javascript with valid asm.js")),
+  { skip: ["image", "audio", "video"] });
+
+// Test javascript validation can correctly parse invalid asm.js with valid JS syntax.
+expected_allow(
+  `${path}/script-asm-js-invalid.js`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json")),
+      message("ORB shouldn't block text/javascript with invalid asm.js")),
+  { skip: ["image", "audio", "video"] });
diff --git a/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js
new file mode 100644
index 0000000000..d1e01fd87b
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js
@@ -0,0 +1,32 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+expected_block(
+  `${path}/text.txt`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("text/plain"), contentTypeOptions("nosniff")),
+      message("ORB should block opaque text/plain with nosniff")));
+
+expected_block(
+  `${path}/data.json`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json"), contentTypeOptions("nosniff")),
+      message("ORB should block opaque-response-blocklisted MIME type with nosniff")));
+
+expected_block(
+  `${path}/data.json`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentTypeOptions("nosniff")),
+      message("ORB should block opaque response with empty Content-Type and nosniff")));
+
+expected_allow(
+  `${path}/image.png`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType(""), contentType("text/javascript")),
+      message("ORB shouldn't block opaque image with empty Content-Type and nosniff")),
+  { skip: ["audio", "video", "script"] });
diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html
new file mode 100644
index 0000000000..fe85440798
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<!-- Test verifies that gziped script which parses as Javascript (not JSON) without Content-Type will execute with ORB. -->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js?pipe=gzip|header(Content-Type,)">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+            'The cross-origin script should execute');
+done();
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html
new file mode 100644
index 0000000000..4987f1307e
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<!-- Test verifies that script which parses as Javascript (not JSON) without Content-Type will execute with ORB. -->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+            'The cross-origin script should execute');
+done();
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html
new file mode 100644
index 0000000000..b15f976a66
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<!-- Test verifies that utf-16 encoded script (without BOM) which parses as Javascript (not JSON) will execute with ORB. -->
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script charset="utf-16" src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled-utf16-without-bom.json">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+            'The cross-origin script should execute');
+done();
+</script>
diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js
new file mode 100644
index 0000000000..e281ca6f53
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js
@@ -0,0 +1,16 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+expected_block(
+  `${path}/data.json`,
+  (orb_test, message) => promise_test(
+    t => orb_test(t, contentType("application/json"), "status(206)"),
+    message("ORB should block opaque-response-blocklisted MIME type with status 206")));
+
+expected_block(
+  `${path}/data.json`,
+  (orb_test, message) =>
+    promise_test(
+      t => orb_test(t, contentType("application/json"), "status(302)"),
+      message("ORB should block opaque response with non-ok status")));
diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.html b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html
new file mode 100644
index 0000000000..a62bdeb35e
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html
@@ -0,0 +1,17 @@
+'use strict';
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+async_test(function(t) {
+  let url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+  url = `${url}/fetch/orb/resources/sound.mp3?pipe=status(301)|header(Content-Type,)`
+
+  const video = document.createElement("video");
+  video.src = url;
+  video.onerror = t.step_func_done();
+  video.onload = t.unreached_func("Unexpected error event");
+  document.body.appendChild(video);
+}, "ORB should block initial media requests with status not 200 or 206");
+</script>
diff --git a/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js
new file mode 100644
index 0000000000..268ebb0258
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js
@@ -0,0 +1,40 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+expected_allow_fetch(
+  `${path}/font.ttf`,
+  (promise, message) =>
+    promise_test(
+      t => promise(t, contentType("")),
+      message("ORB shouldn't block opaque failed missing MIME type (font/ttf)")));
+
+expected_allow_fetch(
+  `${path}/text.ttf`,
+  (promise, message) =>
+    promise_test(
+      t => promise(t, contentType("")),
+      message("ORB shouldn't block opaque failed missing MIME type (text/plain)")));
+
+expected_allow_fetch(
+  `${path}/data.json`,
+  (promise, message) =>
+    promise_test(
+      t => promise(t, contentType("")),
+      message("ORB shouldn't block opaque failed missing MIME type (application/json)")));
+
+expected_allow(
+  `${path}/image.png`,
+  (promise, message) =>
+    promise_test(
+      t => promise(t, contentType("")),
+      message("ORB shouldn't block opaque failed missing MIME type (image/png)")),
+  { skip: ["audio", "video", "script"] });
+
+expected_allow(
+  `${path}/script.js`,
+  (promise, message) =>
+    promise_test(
+      t => promise(t, contentType("")),
+      message("ORB shouldn't block opaque failed missing MIME type (text/javascript)")),
+      { skip: ["image", "audio", "video"] });