1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
<!DOCTYPE html>
<!-- Test verifies CORB will block responses with types that do not
require confirmation sniffing.
We assume that:
1) it is unlikely that images, other media, scripts, etc. will be mislabelled
as the |protected_mime_types| below,
2) the |protected_mime_types| below are likely to contain sensitive,
credentialled data.
-->
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<div id=log></div>
<script>
setup({allow_uncaught_exception : true, single_test : true});
function test(mime_type, is_blocking_expected) {
var action = is_blocking_expected ? "blocks" : "does not block";
async_test(function(t) {
var script = document.createElement("script")
var script_has_run_token = "script_has_run" + token();
// With and without CORB there should be no error, but without CORB the
// original script body will be preserved and |window.script_has_run| will
// be set.
window[script_has_run_token] = false;
script.onload = t.step_func_done(function(){
if (is_blocking_expected) {
assert_false(window[script_has_run_token]);
} else {
assert_true(window[script_has_run_token]);
}
});
addEventListener("error",function(e) {
t.step(function() {
assert_unreached("Unexpected error: " + e);
t.done();
})
});
// www1 is cross-origin, so the HTTP response is CORB-eligible.
var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";
body = `window['${script_has_run_token}'] = true;`
script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body);
document.body.appendChild(script)
}, "CORB " + action + " '" + mime_type + "'");
}
// Some mime types should be protected by CORB without any kind
// of confirmation sniffing.
protected_mime_types = [
"application/gzip",
"application/pdf",
"application/x-gzip",
"application/x-protobuf",
"application/zip",
"multipart/byteranges",
"multipart/signed",
"text/csv",
"text/event-stream",
]
protected_mime_types.forEach(function(type) {
test(type, true /* is_blocking_expected */);
});
// Other mime types.
other_mime_types = [
// These content types are legitimately allowed in 'no-cors' fetches.
"application/javascript",
// Confirmation sniffing will fail and prevent CORB from blocking the
// response.
"text/html",
// Unrecognized content types.
"application/blah"
]
other_mime_types.forEach(function(type) {
test(type, false /* is_blocking_expected */);
});
</script>
|
