1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their
MIME type is covered by ORB and 2) allowed otherwise.
This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html,
except that it focuses on MIME types relevant to ORB.
-->
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<div id=log></div>
<script>
var passes = [
// ORB safelisted MIME-types - i.e. ones covered by:
// - https://github.com/annevk/orb
"text/css",
"image/svg+xml",
// JavaScript MIME types
"application/ecmascript",
"application/javascript",
"application/x-ecmascript",
"application/x-javascript",
"text/ecmascript",
"text/javascript",
"text/javascript1.0",
"text/javascript1.1",
"text/javascript1.2",
"text/javascript1.3",
"text/javascript1.4",
"text/javascript1.5",
"text/jscript",
"text/livescript",
"text/x-ecmascript",
"text/x-javascript",
]
var fails = [
// ORB blocklisted MIME-types - i.e. ones covered by:
// - https://github.com/annevk/orb
"text/html",
// JSON MIME type
"application/json",
"text/json",
"application/ld+json",
// XML MIME type
"text/xml",
"application/xml",
"application/xhtml+xml",
"application/dash+xml",
"application/gzip",
"application/msexcel",
"application/mspowerpoint",
"application/msword",
"application/msword-template",
"application/pdf",
"application/vnd.apple.mpegurl",
"application/vnd.ces-quickpoint",
"application/vnd.ces-quicksheet",
"application/vnd.ces-quickword",
"application/vnd.ms-excel",
"application/vnd.ms-excel.sheet.macroenabled.12",
"application/vnd.ms-powerpoint",
"application/vnd.ms-powerpoint.presentation.macroenabled.12",
"application/vnd.ms-word",
"application/vnd.ms-word.document.12",
"application/vnd.ms-word.document.macroenabled.12",
"application/vnd.msword",
"application/vnd.openxmlformats-officedocument.presentationml.presentation",
"application/vnd.openxmlformats-officedocument.presentationml.template",
"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
"application/vnd.openxmlformats-officedocument.spreadsheetml.template",
"application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"application/vnd.openxmlformats-officedocument.wordprocessingml.template",
"application/vnd.presentation-openxml",
"application/vnd.presentation-openxmlm",
"application/vnd.spreadsheet-openxml",
"application/vnd.wordprocessing-openxml",
"application/x-gzip",
"application/x-protobuf",
"application/x-protobuffer",
"application/zip",
"audio/mpegurl",
"multipart/byteranges",
"multipart/signed",
"text/event-stream",
"text/csv",
"text/vtt",
]
const get_url = (mime) => {
// www1 is cross-origin, so the HTTP response is ORB-eligible -->
url = "http://{{domains[www1]}}:{{ports[http][0]}}"
url = url + "/fetch/nosniff/resources/image.py"
if (mime != null) {
url += "?type=" + encodeURIComponent(mime)
}
return url
}
passes.forEach(function (mime) {
async_test(function (t) {
var img = document.createElement("img")
img.onerror = t.unreached_func("Unexpected error event")
img.onload = t.step_func_done(function () {
assert_equals(img.width, 96)
})
img.src = get_url(mime)
document.body.appendChild(img)
}, "ORB should allow the response if Content-Type is: '" + mime + "'. ")
})
fails.forEach(function (mime) {
async_test(function (t) {
var img = document.createElement("img")
img.onerror = t.step_func_done()
img.onload = t.unreached_func("Unexpected load event")
img.src = get_url(mime)
document.body.appendChild(img)
}, "ORB should block the response if Content-Type is: '" + mime + "'. ")
})
</script>
|