Adding upstream version 5.28.2+dfsg1+~cs23.11.12.3.upstream/5.28.2+dfsg1+_cs23.11.12.3upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

15 files changed, 494 insertions, 0 deletions

diff --git a/test/wpt/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html b/test/wpt/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html
new file mode 100644
index 0000000..38e70c6
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html
@@ -0,0 +1,20 @@
+<!-- Test verifies that compressed images should not be blocked
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+async_test(function(t) {
+  let url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+  url = url + "/fetch/orb/resources/png-unlabeled.png?pipe=gzip"
+
+  const img = document.createElement("img");
+  img.src = url;
+  img.onerror = t.unreached_func("Unexpected error event")
+  img.onload = t.step_func_done(function () {
+    assert_true(true);
+  })
+  document.body.appendChild(img)
+}, "ORB shouldn't block compressed images");
+</script>
+
diff --git a/test/wpt/tests/fetch/orb/tentative/content-range.sub.any.js b/test/wpt/tests/fetch/orb/tentative/content-range.sub.any.js
new file mode 100644
index 0000000..ee97521
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/content-range.sub.any.js
@@ -0,0 +1,31 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const url =
+  "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/image.png";
+
+promise_test(async () => {
+  let headers = new Headers([["Range", "bytes=0-99"]]);
+  await fetchORB(
+    url,
+    { headers },
+    header("Content-Range", "bytes 0-99/1010"),
+    "slice(null,100)",
+    "status(206)"
+  );
+}, "ORB shouldn't block opaque range of image/png starting at zero");
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        url,
+        { headers: new Headers([["Range", "bytes 10-99"]]) },
+        header("Content-Range", "bytes 10-99/1010"),
+        "slice(10,100)",
+        "status(206)"
+      )
+    ),
+  "ORB should block opaque range of image/png not starting at zero, that isn't subsequent"
+);
diff --git a/test/wpt/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/test/wpt/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
new file mode 100644
index 0000000..5dc6c5d
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
@@ -0,0 +1,126 @@
+<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their
+  MIME type is covered by ORB and 2) allowed otherwise.
+
+  This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html,
+  except that it focuses on MIME types relevant to ORB.
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+  var passes = [
+    // ORB safelisted MIME-types - i.e. ones covered by:
+    // - https://github.com/annevk/orb
+
+    "text/css",
+    "image/svg+xml",
+
+    // JavaScript MIME types
+    "application/ecmascript",
+    "application/javascript",
+    "application/x-ecmascript",
+    "application/x-javascript",
+    "text/ecmascript",
+    "text/javascript",
+    "text/javascript1.0",
+    "text/javascript1.1",
+    "text/javascript1.2",
+    "text/javascript1.3",
+    "text/javascript1.4",
+    "text/javascript1.5",
+    "text/jscript",
+    "text/livescript",
+    "text/x-ecmascript",
+    "text/x-javascript",
+  ]
+
+  var fails = [
+    // ORB blocklisted MIME-types - i.e. ones covered by:
+    // - https://github.com/annevk/orb
+
+    "text/html",
+
+    // JSON MIME type
+    "application/json",
+    "text/json",
+    "application/ld+json",
+
+    // XML MIME type
+    "text/xml",
+    "application/xml",
+    "application/xhtml+xml",
+
+    "application/dash+xml",
+    "application/gzip",
+    "application/msexcel",
+    "application/mspowerpoint",
+    "application/msword",
+    "application/msword-template",
+    "application/pdf",
+    "application/vnd.apple.mpegurl",
+    "application/vnd.ces-quickpoint",
+    "application/vnd.ces-quicksheet",
+    "application/vnd.ces-quickword",
+    "application/vnd.ms-excel",
+    "application/vnd.ms-excel.sheet.macroenabled.12",
+    "application/vnd.ms-powerpoint",
+    "application/vnd.ms-powerpoint.presentation.macroenabled.12",
+    "application/vnd.ms-word",
+    "application/vnd.ms-word.document.12",
+    "application/vnd.ms-word.document.macroenabled.12",
+    "application/vnd.msword",
+    "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+    "application/vnd.openxmlformats-officedocument.presentationml.template",
+    "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+    "application/vnd.openxmlformats-officedocument.spreadsheetml.template",
+    "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+    "application/vnd.openxmlformats-officedocument.wordprocessingml.template",
+    "application/vnd.presentation-openxml",
+    "application/vnd.presentation-openxmlm",
+    "application/vnd.spreadsheet-openxml",
+    "application/vnd.wordprocessing-openxml",
+    "application/x-gzip",
+    "application/x-protobuf",
+    "application/x-protobuffer",
+    "application/zip",
+    "audio/mpegurl",
+    "multipart/byteranges",
+    "multipart/signed",
+    "text/event-stream",
+    "text/csv",
+    "text/vtt",
+]
+
+  const get_url = (mime) => {
+    // www1 is cross-origin, so the HTTP response is ORB-eligible -->
+    url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+    url = url + "/fetch/nosniff/resources/image.py"
+    if (mime != null) {
+      url += "?type=" + encodeURIComponent(mime)
+    }
+    return url
+  }
+
+  passes.forEach(function (mime) {
+    async_test(function (t) {
+      var img = document.createElement("img")
+      img.onerror = t.unreached_func("Unexpected error event")
+      img.onload = t.step_func_done(function () {
+        assert_equals(img.width, 96)
+      })
+      img.src = get_url(mime)
+      document.body.appendChild(img)
+    }, "ORB should allow the response if Content-Type is: '" + mime + "'.  ")
+  })
+
+  fails.forEach(function (mime) {
+    async_test(function (t) {
+      var img = document.createElement("img")
+      img.onerror = t.step_func_done()
+      img.onload = t.unreached_func("Unexpected load event")
+      img.src = get_url(mime)
+      document.body.appendChild(img)
+    }, "ORB should block the response if Content-Type is: '" + mime + "'.  ")
+  })
+</script>
+
diff --git a/test/wpt/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html b/test/wpt/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html
new file mode 100644
index 0000000..66462fb
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<!-- Same-origin, so the HTTP response is not ORB-eligible. -->
+<img src="../resources/png-mislabeled-as-html.png">
+
diff --git a/test/wpt/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html b/test/wpt/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html
new file mode 100644
index 0000000..aa03f4d
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<!-- Test verifies that ORB allows an mislabeled cross-origin image after sniffing. -->
+<meta charset="utf-8">
+<!-- Reference page uses same-origin resources, which are not ORB-eligible. -->
+<link rel="match" href="img-png-mislabeled-as-html.sub-ref.html">
+<!-- www1 is cross-origin, so the HTTP response is ORB-eligible -->
+<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-mislabeled-as-html.png">
diff --git a/test/wpt/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html b/test/wpt/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html
new file mode 100644
index 0000000..2d5e3bb
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<!-- Same-origin, so the HTTP response is not ORB-eligible. -->
+<img src="../resources/png-unlabeled.png">
+
diff --git a/test/wpt/tests/fetch/orb/tentative/img-png-unlabeled.sub.html b/test/wpt/tests/fetch/orb/tentative/img-png-unlabeled.sub.html
new file mode 100644
index 0000000..77415f6
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/img-png-unlabeled.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<!-- Test verifies that ORB allows an unlabeled cross-origin image after sniffing. -->
+<meta charset="utf-8">
+<!-- Reference page uses same-origin resources, which are not ORB-eligible. -->
+<link rel="match" href="img-png-unlabeled.sub-ref.html">
+<!-- www1 is cross-origin, so the HTTP response is ORB-eligible -->
+<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-unlabeled.png">
diff --git a/test/wpt/tests/fetch/orb/tentative/known-mime-type.sub.any.js b/test/wpt/tests/fetch/orb/tentative/known-mime-type.sub.any.js
new file mode 100644
index 0000000..b0521e8
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/known-mime-type.sub.any.js
@@ -0,0 +1,86 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(`${path}/font.ttf`, null, contentType("font/ttf"))
+    ),
+  "ORB should block opaque font/ttf"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(`${path}/text.txt`, null, contentType("text/plain"))
+    ),
+  "ORB should block opaque text/plain"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(`${path}/data.json`, null, contentType("application/json"))
+    ),
+  "ORB should block opaque application/json (non-empty)"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(`${path}/empty.json`, null, contentType("application/json"))
+    ),
+  "ORB should block opaque application/json (empty)"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(`${path}/data_non_ascii.json`, null, contentType("application/json"))
+    ),
+  "ORB should block opaque application/json which contains non ascii characters"
+);
+
+promise_test(async () => {
+  fetchORB(`${path}/image.png`, null, contentType("image/png"));
+}, "ORB shouldn't block opaque image/png");
+
+promise_test(async () => {
+  await fetchORB(`${path}/script.js`, null, contentType("text/javascript"));
+}, "ORB shouldn't block opaque text/javascript");
+
+// Test javascript validation can correctly decode the content with BOM.
+promise_test(async () => {
+  await fetchORB(`${path}/script-utf16-bom.js`, null, contentType("application/json"));
+}, "ORB shouldn't block opaque text/javascript (utf16 encoded with BOM)");
+
+// Test javascript validation can correctly decode the content with the http charset hint.
+promise_test(async () => {
+  await fetchORB(`${path}/script-utf16-without-bom.js`, null, contentType("application/json; charset=utf-16"));
+}, "ORB shouldn't block opaque text/javascript (utf16 encoded without BOM but charset is provided in content-type)");
+
+// Test javascript validation can correctly decode the content for iso-8559-1 (fallback decoder in Firefox).
+promise_test(async () => {
+  await fetchORB(`${path}/script-iso-8559-1.js`, null, contentType("application/json"));
+}, "ORB shouldn't block opaque text/javascript (iso-8559-1 encoded)");
+
+// Test javascript validation can correctly parse asm.js.
+promise_test(async () => {
+  await fetchORB(`${path}/script-asm-js-valid.js`, null, contentType("application/json"));
+}, "ORB shouldn't block text/javascript with valid asm.js");
+
+// Test javascript validation can correctly parse invalid asm.js with valid JS syntax.
+promise_test(async () => {
+  await fetchORB(`${path}/script-asm-js-invalid.js`, null, contentType("application/json"));
+}, "ORB shouldn't block text/javascript with invalid asm.js");
diff --git a/test/wpt/tests/fetch/orb/tentative/nosniff.sub.any.js b/test/wpt/tests/fetch/orb/tentative/nosniff.sub.any.js
new file mode 100644
index 0000000..3df9d22
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/nosniff.sub.any.js
@@ -0,0 +1,59 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/text.txt`,
+        null,
+        contentType("text/plain"),
+        contentTypeOptions("nosniff")
+      )
+    ),
+  "ORB should block opaque text/plain with nosniff"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/data.json`,
+        null,
+        contentType("application/json"),
+        contentTypeOptions("nosniff")
+      )
+    ),
+  "ORB should block opaque-response-blocklisted MIME type with nosniff"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/data.json`,
+        null,
+        contentType(""),
+        contentTypeOptions("nosniff")
+      )
+    ),
+  "ORB should block opaque response with empty Content-Type and nosniff"
+);
+
+promise_test(
+  () =>
+    fetchORB(
+      `${path}/image.png`,
+      null,
+      contentType(""),
+      contentTypeOptions("nosniff")
+    ),
+  "ORB shouldn't block opaque image with empty Content-Type and nosniff"
+);
diff --git a/test/wpt/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html b/test/wpt/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html
new file mode 100644
index 0000000..fe85440
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<!-- Test verifies that gziped script which parses as Javascript (not JSON) without Content-Type will execute with ORB. -->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js?pipe=gzip|header(Content-Type,)">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+            'The cross-origin script should execute');
+done();
+</script>
+
diff --git a/test/wpt/tests/fetch/orb/tentative/script-unlabeled.sub.html b/test/wpt/tests/fetch/orb/tentative/script-unlabeled.sub.html
new file mode 100644
index 0000000..4987f13
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/script-unlabeled.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<!-- Test verifies that script which parses as Javascript (not JSON) without Content-Type will execute with ORB. -->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+            'The cross-origin script should execute');
+done();
+</script>
+
diff --git a/test/wpt/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html b/test/wpt/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html
new file mode 100644
index 0000000..b15f976
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/script-utf16-without-bom-hint-charset.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<!-- Test verifies that utf-16 encoded script (without BOM) which parses as Javascript (not JSON) will execute with ORB. -->
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script charset="utf-16" src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled-utf16-without-bom.json">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+            'The cross-origin script should execute');
+done();
+</script>
diff --git a/test/wpt/tests/fetch/orb/tentative/status.sub.any.js b/test/wpt/tests/fetch/orb/tentative/status.sub.any.js
new file mode 100644
index 0000000..b94d8b7
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/status.sub.any.js
@@ -0,0 +1,33 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/data.json`,
+        null,
+        contentType("application/json"),
+        "status(206)"
+      )
+    ),
+  "ORB should block opaque-response-blocklisted MIME type with status 206"
+);
+
+promise_test(
+  t =>
+    promise_rejects_js(
+      t,
+      TypeError,
+      fetchORB(
+        `${path}/data.json`,
+        null,
+        contentType("application/json"),
+        "status(302)"
+      )
+    ),
+  "ORB should block opaque response with non-ok status"
+);
diff --git a/test/wpt/tests/fetch/orb/tentative/status.sub.html b/test/wpt/tests/fetch/orb/tentative/status.sub.html
new file mode 100644
index 0000000..a62bdeb
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/status.sub.html
@@ -0,0 +1,17 @@
+'use strict';
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+async_test(function(t) {
+  let url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+  url = `${url}/fetch/orb/resources/sound.mp3?pipe=status(301)|header(Content-Type,)`
+
+  const video = document.createElement("video");
+  video.src = url;
+  video.onerror = t.step_func_done();
+  video.onload = t.unreached_func("Unexpected error event");
+  document.body.appendChild(video);
+}, "ORB should block initial media requests with status not 200 or 206");
+</script>
diff --git a/test/wpt/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js b/test/wpt/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js
new file mode 100644
index 0000000..f72ff92
--- /dev/null
+++ b/test/wpt/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js
@@ -0,0 +1,28 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+  () => fetchORB(`${path}/font.ttf`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (font/ttf)"
+);
+
+promise_test(
+  () => fetchORB(`${path}/text.txt`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (text/plain)"
+);
+
+promise_test(
+  t => fetchORB(`${path}/data.json`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (application/json)"
+);
+
+promise_test(
+  () => fetchORB(`${path}/image.png`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (image/png)"
+);
+
+promise_test(
+  () => fetchORB(`${path}/script.js`, null, contentType("")),
+  "ORB shouldn't block opaque failed missing MIME type (text/javascript)"
+);