diff options
Diffstat (limited to 'testing/web-platform/tests/fetch/orb/tentative')
15 files changed, 464 insertions, 0 deletions
diff --git a/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html new file mode 100644 index 0000000000..38e70c69ad --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html @@ -0,0 +1,20 @@ +<!-- Test verifies that compressed images should not be blocked +--> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> +async_test(function(t) { + let url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = url + "/fetch/orb/resources/png-unlabeled.png?pipe=gzip" + + const img = document.createElement("img"); + img.src = url; + img.onerror = t.unreached_func("Unexpected error event") + img.onload = t.step_func_done(function () { + assert_true(true); + }) + document.body.appendChild(img) +}, "ORB shouldn't block compressed images"); +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js new file mode 100644 index 0000000000..c965aea4f8 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js @@ -0,0 +1,20 @@ +// META: script=/fetch/orb/resources/utils.js + +const url = + "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/image.png"; + +expected_allow_fetch( + url, + (orb_test, message) => + promise_test( + t => orb_test(t, header("Content-Range", "bytes 0-99/1010"), "slice(null,100)", "status(206)"), + message("ORB shouldn't block opaque range of image/png starting at zero")), + { headers: new Headers([["Range", "bytes=0-99"]]) }); + +expected_block_fetch( + url, + (orb_test, message) => + promise_test( + t => orb_test(t, header("Content-Range", "bytes 10-99/1010"), "slice(10,100)", "status(206)"), + message("ORB should block opaque range of image/png not starting at zero, that isn't subsequent")), + { headers: new Headers([["Range", "bytes 10-99"]]) }); diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html new file mode 100644 index 0000000000..5dc6c5d63a --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html @@ -0,0 +1,126 @@ +<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their + MIME type is covered by ORB and 2) allowed otherwise. + + This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html, + except that it focuses on MIME types relevant to ORB. +--> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + var passes = [ + // ORB safelisted MIME-types - i.e. ones covered by: + // - https://github.com/annevk/orb + + "text/css", + "image/svg+xml", + + // JavaScript MIME types + "application/ecmascript", + "application/javascript", + "application/x-ecmascript", + "application/x-javascript", + "text/ecmascript", + "text/javascript", + "text/javascript1.0", + "text/javascript1.1", + "text/javascript1.2", + "text/javascript1.3", + "text/javascript1.4", + "text/javascript1.5", + "text/jscript", + "text/livescript", + "text/x-ecmascript", + "text/x-javascript", + ] + + var fails = [ + // ORB blocklisted MIME-types - i.e. ones covered by: + // - https://github.com/annevk/orb + + "text/html", + + // JSON MIME type + "application/json", + "text/json", + "application/ld+json", + + // XML MIME type + "text/xml", + "application/xml", + "application/xhtml+xml", + + "application/dash+xml", + "application/gzip", + "application/msexcel", + "application/mspowerpoint", + "application/msword", + "application/msword-template", + "application/pdf", + "application/vnd.apple.mpegurl", + "application/vnd.ces-quickpoint", + "application/vnd.ces-quicksheet", + "application/vnd.ces-quickword", + "application/vnd.ms-excel", + "application/vnd.ms-excel.sheet.macroenabled.12", + "application/vnd.ms-powerpoint", + "application/vnd.ms-powerpoint.presentation.macroenabled.12", + "application/vnd.ms-word", + "application/vnd.ms-word.document.12", + "application/vnd.ms-word.document.macroenabled.12", + "application/vnd.msword", + "application/vnd.openxmlformats-officedocument.presentationml.presentation", + "application/vnd.openxmlformats-officedocument.presentationml.template", + "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "application/vnd.openxmlformats-officedocument.spreadsheetml.template", + "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "application/vnd.openxmlformats-officedocument.wordprocessingml.template", + "application/vnd.presentation-openxml", + "application/vnd.presentation-openxmlm", + "application/vnd.spreadsheet-openxml", + "application/vnd.wordprocessing-openxml", + "application/x-gzip", + "application/x-protobuf", + "application/x-protobuffer", + "application/zip", + "audio/mpegurl", + "multipart/byteranges", + "multipart/signed", + "text/event-stream", + "text/csv", + "text/vtt", +] + + const get_url = (mime) => { + // www1 is cross-origin, so the HTTP response is ORB-eligible --> + url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = url + "/fetch/nosniff/resources/image.py" + if (mime != null) { + url += "?type=" + encodeURIComponent(mime) + } + return url + } + + passes.forEach(function (mime) { + async_test(function (t) { + var img = document.createElement("img") + img.onerror = t.unreached_func("Unexpected error event") + img.onload = t.step_func_done(function () { + assert_equals(img.width, 96) + }) + img.src = get_url(mime) + document.body.appendChild(img) + }, "ORB should allow the response if Content-Type is: '" + mime + "'. ") + }) + + fails.forEach(function (mime) { + async_test(function (t) { + var img = document.createElement("img") + img.onerror = t.step_func_done() + img.onload = t.unreached_func("Unexpected load event") + img.src = get_url(mime) + document.body.appendChild(img) + }, "ORB should block the response if Content-Type is: '" + mime + "'. ") + }) +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html new file mode 100644 index 0000000000..66462fb5e3 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html @@ -0,0 +1,5 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<!-- Same-origin, so the HTTP response is not ORB-eligible. --> +<img src="../resources/png-mislabeled-as-html.png"> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html new file mode 100644 index 0000000000..aa03f4db63 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html @@ -0,0 +1,7 @@ +<!DOCTYPE html> +<!-- Test verifies that ORB allows an mislabeled cross-origin image after sniffing. --> +<meta charset="utf-8"> +<!-- Reference page uses same-origin resources, which are not ORB-eligible. --> +<link rel="match" href="img-png-mislabeled-as-html.sub-ref.html"> +<!-- www1 is cross-origin, so the HTTP response is ORB-eligible --> +<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-mislabeled-as-html.png"> diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html new file mode 100644 index 0000000000..2d5e3bb8b5 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html @@ -0,0 +1,5 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<!-- Same-origin, so the HTTP response is not ORB-eligible. --> +<img src="../resources/png-unlabeled.png"> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html new file mode 100644 index 0000000000..77415f6af1 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html @@ -0,0 +1,7 @@ +<!DOCTYPE html> +<!-- Test verifies that ORB allows an unlabeled cross-origin image after sniffing. --> +<meta charset="utf-8"> +<!-- Reference page uses same-origin resources, which are not ORB-eligible. --> +<link rel="match" href="img-png-unlabeled.sub-ref.html"> +<!-- www1 is cross-origin, so the HTTP response is ORB-eligible --> +<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-unlabeled.png"> diff --git a/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js new file mode 100644 index 0000000000..cc6d208fd3 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js @@ -0,0 +1,99 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +expected_block( + `${path}/font.ttf`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("font/ttf")), + message("ORB should block opaque font/ttf"))); + +expected_block( + `${path}/text.txt`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("text/plain")), + message("ORB should block opaque text/plain"))); + +expected_block( + `${path}/data.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB should block opaque application/json (non-empty)"))); + +expected_block( + `${path}/empty.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB should block opaque application/json (empty)"))); + +expected_block( + `${path}/data_non_ascii.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB should block opaque application/json which contains non ascii characters"))); + +expected_allow( + `${path}/image.png`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("image/png")), + message("ORB shouldn't block opaque image/png")), + { skip: ["audio", "video", "script"] }); + +expected_allow( + `${path}/script.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("text/javascript")), + message("ORB shouldn't block opaque text/javascript")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly decode the content with BOM. +expected_allow( + `${path}/script-utf16-bom.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB shouldn't block opaque text/javascript (utf16 encoded with BOM)")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly decode the content with the http charset hint. +expected_allow( + `${path}/script-utf16-without-bom.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json; charset=utf-16")), + message("ORB shouldn't block opaque text/javascript (utf16 encoded without BOM but charset is provided in content-type)")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly decode the content for iso-8559-1 (fallback decoder in Firefox). +expected_allow( + `${path}/script-iso-8559-1.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB shouldn't block opaque text/javascript (iso-8559-1 encoded)")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly parse asm.js. +expected_allow( + `${path}/script-asm-js-valid.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB shouldn't block text/javascript with valid asm.js")), + { skip: ["image", "audio", "video"] }); + +// Test javascript validation can correctly parse invalid asm.js with valid JS syntax. +expected_allow( + `${path}/script-asm-js-invalid.js`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json")), + message("ORB shouldn't block text/javascript with invalid asm.js")), + { skip: ["image", "audio", "video"] }); diff --git a/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js new file mode 100644 index 0000000000..d1e01fd87b --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js @@ -0,0 +1,32 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +expected_block( + `${path}/text.txt`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("text/plain"), contentTypeOptions("nosniff")), + message("ORB should block opaque text/plain with nosniff"))); + +expected_block( + `${path}/data.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json"), contentTypeOptions("nosniff")), + message("ORB should block opaque-response-blocklisted MIME type with nosniff"))); + +expected_block( + `${path}/data.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentTypeOptions("nosniff")), + message("ORB should block opaque response with empty Content-Type and nosniff"))); + +expected_allow( + `${path}/image.png`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType(""), contentType("text/javascript")), + message("ORB shouldn't block opaque image with empty Content-Type and nosniff")), + { skip: ["audio", "video", "script"] }); diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html new file mode 100644 index 0000000000..fe85440798 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<!-- Test verifies that gziped script which parses as Javascript (not JSON) without Content-Type will execute with ORB. --> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<div id=log></div> + +<script> +setup({ single_test: true }); +window.has_executed_script = false; +</script> + +<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> +<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js?pipe=gzip|header(Content-Type,)"> +</script> + +<script> +// Verify what observable effects the <script> tag above had. +// Assertion should hold with and without ORB: +assert_true(window.has_executed_script, + 'The cross-origin script should execute'); +done(); +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html new file mode 100644 index 0000000000..4987f1307e --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<!-- Test verifies that script which parses as Javascript (not JSON) without Content-Type will execute with ORB. --> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<div id=log></div> + +<script> +setup({ single_test: true }); +window.has_executed_script = false; +</script> + +<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> +<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js"> +</script> + +<script> +// Verify what observable effects the <script> tag above had. +// Assertion should hold with and without ORB: +assert_true(window.has_executed_script, + 'The cross-origin script should execute'); +done(); +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html new file mode 100644 index 0000000000..b15f976a66 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<!-- Test verifies that utf-16 encoded script (without BOM) which parses as Javascript (not JSON) will execute with ORB. --> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<div id=log></div> + +<script> +setup({ single_test: true }); +window.has_executed_script = false; +</script> + +<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> +<script charset="utf-16" src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled-utf16-without-bom.json"> +</script> + +<script> +// Verify what observable effects the <script> tag above had. +// Assertion should hold with and without ORB: +assert_true(window.has_executed_script, + 'The cross-origin script should execute'); +done(); +</script> diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js new file mode 100644 index 0000000000..e281ca6f53 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js @@ -0,0 +1,16 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +expected_block( + `${path}/data.json`, + (orb_test, message) => promise_test( + t => orb_test(t, contentType("application/json"), "status(206)"), + message("ORB should block opaque-response-blocklisted MIME type with status 206"))); + +expected_block( + `${path}/data.json`, + (orb_test, message) => + promise_test( + t => orb_test(t, contentType("application/json"), "status(302)"), + message("ORB should block opaque response with non-ok status"))); diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.html b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html new file mode 100644 index 0000000000..a62bdeb35e --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html @@ -0,0 +1,17 @@ +'use strict'; + +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> +async_test(function(t) { + let url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = `${url}/fetch/orb/resources/sound.mp3?pipe=status(301)|header(Content-Type,)` + + const video = document.createElement("video"); + video.src = url; + video.onerror = t.step_func_done(); + video.onload = t.unreached_func("Unexpected error event"); + document.body.appendChild(video); +}, "ORB should block initial media requests with status not 200 or 206"); +</script> diff --git a/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js new file mode 100644 index 0000000000..268ebb0258 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js @@ -0,0 +1,40 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +expected_allow_fetch( + `${path}/font.ttf`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (font/ttf)"))); + +expected_allow_fetch( + `${path}/text.ttf`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (text/plain)"))); + +expected_allow_fetch( + `${path}/data.json`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (application/json)"))); + +expected_allow( + `${path}/image.png`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (image/png)")), + { skip: ["audio", "video", "script"] }); + +expected_allow( + `${path}/script.js`, + (promise, message) => + promise_test( + t => promise(t, contentType("")), + message("ORB shouldn't block opaque failed missing MIME type (text/javascript)")), + { skip: ["image", "audio", "video"] }); |