summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html')
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html126
1 files changed, 126 insertions, 0 deletions
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
new file mode 100644
index 0000000000..5dc6c5d63a
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
@@ -0,0 +1,126 @@
+<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their
+ MIME type is covered by ORB and 2) allowed otherwise.
+
+ This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html,
+ except that it focuses on MIME types relevant to ORB.
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+ var passes = [
+ // ORB safelisted MIME-types - i.e. ones covered by:
+ // - https://github.com/annevk/orb
+
+ "text/css",
+ "image/svg+xml",
+
+ // JavaScript MIME types
+ "application/ecmascript",
+ "application/javascript",
+ "application/x-ecmascript",
+ "application/x-javascript",
+ "text/ecmascript",
+ "text/javascript",
+ "text/javascript1.0",
+ "text/javascript1.1",
+ "text/javascript1.2",
+ "text/javascript1.3",
+ "text/javascript1.4",
+ "text/javascript1.5",
+ "text/jscript",
+ "text/livescript",
+ "text/x-ecmascript",
+ "text/x-javascript",
+ ]
+
+ var fails = [
+ // ORB blocklisted MIME-types - i.e. ones covered by:
+ // - https://github.com/annevk/orb
+
+ "text/html",
+
+ // JSON MIME type
+ "application/json",
+ "text/json",
+ "application/ld+json",
+
+ // XML MIME type
+ "text/xml",
+ "application/xml",
+ "application/xhtml+xml",
+
+ "application/dash+xml",
+ "application/gzip",
+ "application/msexcel",
+ "application/mspowerpoint",
+ "application/msword",
+ "application/msword-template",
+ "application/pdf",
+ "application/vnd.apple.mpegurl",
+ "application/vnd.ces-quickpoint",
+ "application/vnd.ces-quicksheet",
+ "application/vnd.ces-quickword",
+ "application/vnd.ms-excel",
+ "application/vnd.ms-excel.sheet.macroenabled.12",
+ "application/vnd.ms-powerpoint",
+ "application/vnd.ms-powerpoint.presentation.macroenabled.12",
+ "application/vnd.ms-word",
+ "application/vnd.ms-word.document.12",
+ "application/vnd.ms-word.document.macroenabled.12",
+ "application/vnd.msword",
+ "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+ "application/vnd.openxmlformats-officedocument.presentationml.template",
+ "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+ "application/vnd.openxmlformats-officedocument.spreadsheetml.template",
+ "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+ "application/vnd.openxmlformats-officedocument.wordprocessingml.template",
+ "application/vnd.presentation-openxml",
+ "application/vnd.presentation-openxmlm",
+ "application/vnd.spreadsheet-openxml",
+ "application/vnd.wordprocessing-openxml",
+ "application/x-gzip",
+ "application/x-protobuf",
+ "application/x-protobuffer",
+ "application/zip",
+ "audio/mpegurl",
+ "multipart/byteranges",
+ "multipart/signed",
+ "text/event-stream",
+ "text/csv",
+ "text/vtt",
+]
+
+ const get_url = (mime) => {
+ // www1 is cross-origin, so the HTTP response is ORB-eligible -->
+ url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+ url = url + "/fetch/nosniff/resources/image.py"
+ if (mime != null) {
+ url += "?type=" + encodeURIComponent(mime)
+ }
+ return url
+ }
+
+ passes.forEach(function (mime) {
+ async_test(function (t) {
+ var img = document.createElement("img")
+ img.onerror = t.unreached_func("Unexpected error event")
+ img.onload = t.step_func_done(function () {
+ assert_equals(img.width, 96)
+ })
+ img.src = get_url(mime)
+ document.body.appendChild(img)
+ }, "ORB should allow the response if Content-Type is: '" + mime + "'. ")
+ })
+
+ fails.forEach(function (mime) {
+ async_test(function (t) {
+ var img = document.createElement("img")
+ img.onerror = t.step_func_done()
+ img.onload = t.unreached_func("Unexpected load event")
+ img.src = get_url(mime)
+ document.body.appendChild(img)
+ }, "ORB should block the response if Content-Type is: '" + mime + "'. ")
+ })
+</script>
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-10 05:00:39 +0000