summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/fetch/corb/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/fetch/corb/README.md')
-rw-r--r--testing/web-platform/tests/fetch/corb/README.md67
1 files changed, 67 insertions, 0 deletions
diff --git a/testing/web-platform/tests/fetch/corb/README.md b/testing/web-platform/tests/fetch/corb/README.md
new file mode 100644
index 0000000000..f29562b060
--- /dev/null
+++ b/testing/web-platform/tests/fetch/corb/README.md
@@ -0,0 +1,67 @@
+# Tests related to Cross-Origin Resource Blocking (CORB).
+
+### Summary
+
+This directory contains tests related to the
+[Cross-Origin Resource Blocking (CORB)](https://chromium.googlesource.com/chromium/src/+/main/services/network/cross_origin_read_blocking_explainer.md)
+algorithm.
+
+The tests in this directory interact with various, random features,
+but the tests have been grouped together into the `fetch/corb` directory,
+because all of these tests verify behavior that is important to the CORB
+algorithm.
+
+
+### CORB is not universally implemented yet
+
+CORB has been included
+in the [Fetch spec](https://fetch.spec.whatwg.org/#corb)
+since [May 2018](https://github.com/whatwg/fetch/pull/686).
+
+Some tests in this directory (e.g.
+`css-with-json-parser-breaker`) cover behavior spec-ed outside of CORB (making
+sure that CORB doesn't change the existing web behavior) and therefore are
+valuable independently from CORB's standardization efforts and should already
+be passing across all browsers.
+
+Tests that cover behavior that is changed by CORB are currently marked as
+[tentative](https://web-platform-tests.org/writing-tests/file-names.html)
+(using `.tentative` substring in their filename).
+Such tests may fail unless CORB is enabled. In practice this means that:
+* Such tests will pass in Chromium
+ (where CORB is enabled by default [since M68](https://crrev.com/553830)).
+* Such tests may fail in other browsers.
+
+
+### Limitations of WPT test coverage
+
+CORB is a defense-in-depth and in general should not cause changes in behavior
+that can be observed by web features or by end users. This makes CORB difficult
+or even impossible to test via WPT.
+
+WPT tests can cover the following:
+
+* Helping verify CORB has no observable impact in specific scenarios.
+ Examples:
+ * image rendering of (an empty response of) a html document blocked by CORB
+ should be indistinguishable from rendering such html document without CORB -
+ `img-html-correctly-labeled.sub.html`
+ * CORB shouldn't block responses that don't sniff as a CORB-protected document
+ type - `img-png-mislabeled-as-html.sub.html`
+* Helping document cases where CORB causes observable changes in behavior.
+ Examples:
+ * blocking of nosniff images labeled as non-image, CORB-protected
+ Content-Type - `img-png-mislabeled-as-html-nosniff.tentative.sub.html`
+ * blocking of CORB-protected documents can prevent triggering
+ syntax errors in scripts -
+ `script-html-via-cross-origin-blob-url.tentative.sub.html`
+* Helping verify which MIME types are protected by CORB.
+
+Examples of aspects that WPT tests cannot cover (these aspects have to be
+covered in other, browser-specific tests):
+* Verifying that CORB doesn't affect things that are only indirectly
+ observable by the web (like
+ [prefetch](https://html.spec.whatwg.org/#link-type-prefetch).
+* Verifying that CORB strips headers of blocked responses.
+* Verifying that CORB blocks responses before they reach the process hosting
+ a cross-origin execution context.
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-10 05:48:34 +0000