summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/fetch/security/dangling-markup
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/fetch/security/dangling-markup')
-rw-r--r--testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html26
-rw-r--r--testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.tentative.https.html80
-rw-r--r--testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-data-url.tentative.sub.html (renamed from testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-data-url.sub.html)0
-rw-r--r--testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.tentative.html (renamed from testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.html)0
-rw-r--r--testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.tentative.https.html (renamed from testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.https.html)0
-rw-r--r--testing/web-platform/tests/fetch/security/dangling-markup/service-worker.js12
6 files changed, 89 insertions, 29 deletions
diff --git a/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html b/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html
deleted file mode 100644
index 66456a8876..0000000000
--- a/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html
+++ /dev/null
@@ -1,26 +0,0 @@
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<body>
-<script>
- const blank = 'about:blank';
- const dangling_url = 'resources/empty.html?\n<';
- const api_calls = [
- `window.open(\`${dangling_url}\`,'_self')`,
- `location.replace(\`${dangling_url}\`)`,
- ];
-
- api_calls.forEach(call => {
- async_test(t => {
- const iframe =
- document.body.appendChild(document.createElement('iframe'));
- t.step(() => {
- iframe.contentWindow.eval(call)
- t.step_timeout(()=>{
- assert_false(iframe.contentWindow.location.href.endsWith(blank));
- t.done();
- }, 500);
- });
- }, `Does not block ${call}`);
- });
-</script>
diff --git a/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.tentative.https.html b/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.tentative.https.html
new file mode 100644
index 0000000000..428decfc58
--- /dev/null
+++ b/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.tentative.https.html
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+ const blank = 'about:blank';
+ const dangling_url = 'resources/empty.html?\n<';
+ const navigation_api_calls = [
+ `window.open(\`${dangling_url}\`,'_self')`,
+ `location.replace(\`${dangling_url}\`)`,
+ ];
+
+ function get_requests(worker, expected) {
+ return new Promise(resolve => {
+ navigator.serviceWorker.addEventListener('message', function onMsg(evt) {
+ if (evt.data.size >= expected) {
+ navigator.serviceWorker.removeEventListener('message', onMsg);
+ resolve(evt.data);
+ } else {
+ worker.postMessage("");
+ }
+ });
+ worker.postMessage("");
+ });
+ }
+
+ navigation_api_calls.forEach(call => {
+ async_test(t => {
+ const iframe =
+ document.body.appendChild(document.createElement('iframe'));
+ t.step(() => {
+ iframe.contentWindow.eval(call);
+ t.step_timeout(() => {
+ assert_false(iframe.contentWindow.location.href.endsWith(blank));
+ t.done();
+ }, 500);
+ });
+ }, `Does not block ${call}`);
+ });
+
+ const dangling_resource = "404?type=text/javascript&\n<"
+ const api_calls = [
+ [`const xhr = new XMLHttpRequest();
+ xhr.open("GET", \`${"xhr" + dangling_resource}\`);
+ xhr.send(null);`, "xhr"],
+ [`new EventSource(\`${"EventSource" + dangling_resource}\`)`,"EventSource"],
+ [`fetch(\`${"fetch" + dangling_resource}\`).catch(()=>{})`, "fetch"],
+ [`new Worker(\`${"Worker" + dangling_resource}\`)`, "Worker"],
+ [`let text = \`try{importScripts(\\\`${location.href + "/../importScripts" + dangling_resource}\\\`)}catch(e){}\`;
+ let blob = new Blob([text], {type : 'text/javascript'});
+ let url = URL.createObjectURL(blob);
+ new Worker(url)`, "importScripts"],
+
+ ];
+
+ navigator.serviceWorker.register('service-worker.js');
+ const iframe = document.createElement('iframe');
+ iframe.src = "resources/empty.html";
+ document.body.appendChild(iframe);
+ api_calls.forEach(call => {
+ promise_test(t => {
+ return new Promise(resolve => {
+ navigator.serviceWorker.ready.then(t.step_func(registration => {
+ iframe.contentWindow.eval(call[0]);
+ get_requests(registration.active, 0).then(t.step_func(requests => {
+ resolve(assert_true(requests.has(call[1] + dangling_resource)));
+ }));
+ }));
+ });
+ }, `Does not block ${call[1]}`);
+ });
+
+ async_test(t => {
+ let url = new URL(location.origin + "/" + dangling_url);
+ // Newlines are removed by the URL parser.
+ assert_true(url.href.endsWith(encodeURI(dangling_url.replace("\n",""))));
+ t.done();
+ }, `Does not block new URL()`);
+</script>
diff --git a/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-data-url.sub.html b/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-data-url.tentative.sub.html
index f27735daa1..f27735daa1 100644
--- a/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-data-url.sub.html
+++ b/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-data-url.tentative.sub.html
diff --git a/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.html b/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.tentative.html
index 61a931608b..61a931608b 100644
--- a/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.html
+++ b/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.tentative.html
diff --git a/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.https.html b/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.tentative.https.html
index 3f038cbb7b..3f038cbb7b 100644
--- a/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.https.html
+++ b/testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation.tentative.https.html
diff --git a/testing/web-platform/tests/fetch/security/dangling-markup/service-worker.js b/testing/web-platform/tests/fetch/security/dangling-markup/service-worker.js
index 837e216a01..99d5456a87 100644
--- a/testing/web-platform/tests/fetch/security/dangling-markup/service-worker.js
+++ b/testing/web-platform/tests/fetch/security/dangling-markup/service-worker.js
@@ -16,18 +16,24 @@ addEventListener('fetch', evt => {
const url = new URL(evt.request.url);
const path = url.pathname;
const search = url.search || "?";
+ const params = new URLSearchParams(search);
+ const type = params.get('type');
if (path.includes('404')) {
const dir = path.split('/');
const request = dir[dir.length-1] + search;
if (!requests.has(request)) {
requests.add(request);
}
- evt.respondWith(new Response(""));
+ evt.respondWith(new Response("", {
+ headers: {
+ "Content-Type": type || "text/plain"
+ }
+ }));
} else if (path.endsWith('resources.html')) {
- const html = (new URLSearchParams(search)).get('html');
+ const html = params.get('html') || "";
evt.respondWith(new Response(html, {
headers: {
- "Content-Type": "text/html"
+ "Content-Type": type || "text/html"
}
}));
}