Adding upstream version 115.7.0esr.upstream/115.7.0esr

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

8 files changed, 274 insertions, 0 deletions

diff --git a/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer-mixed-content.js b/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer-mixed-content.js
new file mode 100644
index 0000000000..ad59904fd9
--- /dev/null
+++ b/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer-mixed-content.js
@@ -0,0 +1,51 @@
+if (this.document === undefined) {
+  importScripts("/common/utils.js");
+  importScripts("/resources/testharness.js");
+  importScripts("/fetch/api/resources/utils.js");
+  importScripts("/common/get-host-info.sub.js");
+}
+
+function testReferrerAfterRedirection(desc, redirectUrl, redirectLocation, referrerPolicy, redirectReferrerPolicy, expectedReferrer) {
+  var url = redirectUrl;
+  var urlParameters = "?location=" + encodeURIComponent(redirectLocation);
+
+  if (redirectReferrerPolicy)
+    urlParameters += "&redirect_referrerpolicy=" + redirectReferrerPolicy;
+
+  var requestInit = {"redirect": "follow", "referrerPolicy": referrerPolicy};
+
+    promise_test(function(test) {
+      return fetch(url + urlParameters, requestInit).then(function(response) {
+        assert_equals(response.status, 200, "Inspect header response's status is 200");
+        assert_equals(response.headers.get("x-request-referer"), expectedReferrer ? expectedReferrer : null, "Check referrer header");
+      });
+    }, desc);
+}
+
+var referrerOrigin = get_host_info().HTTPS_ORIGIN + "/";
+var referrerUrl = location.href;
+
+var RESOURCES_DIR = "/fetch/api/resources/";
+var redirectUrl = RESOURCES_DIR + "redirect.py";
+var locationUrl = get_host_info().HTTPS_ORIGIN  + RESOURCES_DIR + "inspect-headers.py?headers=referer";
+var httpLocationUrl =  get_host_info().HTTP_REMOTE_ORIGIN + RESOURCES_DIR + "inspect-headers.py?cors&headers=referer";
+
+testReferrerAfterRedirection("Downgrade, empty init, unsafe-url redirect header ", redirectUrl, httpLocationUrl, "", "unsafe-url", referrerUrl);
+testReferrerAfterRedirection("Downgrade, empty init, no-referrer-when-downgrade redirect header ", redirectUrl, httpLocationUrl, "", "no-referrer-when-downgrade", null);
+testReferrerAfterRedirection("Downgrade, empty init, same-origin redirect header ", redirectUrl, httpLocationUrl, "", "same-origin", null);
+testReferrerAfterRedirection("Downgrade, empty init, origin redirect header ", redirectUrl, httpLocationUrl, "", "origin", referrerOrigin);
+testReferrerAfterRedirection("Downgrade, empty init, origin-when-cross-origin redirect header ", redirectUrl, httpLocationUrl, "", "origin-when-cross-origin", referrerOrigin);
+testReferrerAfterRedirection("Downgrade, empty init, no-referrer redirect header ", redirectUrl, httpLocationUrl, "", "no-referrer", null);
+testReferrerAfterRedirection("Downgrade, empty init, strict-origin redirect header ", redirectUrl, httpLocationUrl, "", "strict-origin", null);
+testReferrerAfterRedirection("Downgrade, empty init, strict-origin-when-cross-origin redirect header ", redirectUrl, httpLocationUrl, "", "strict-origin-when-cross-origin", null);
+
+testReferrerAfterRedirection("Downgrade, empty redirect header, unsafe-url init ", redirectUrl, httpLocationUrl, "unsafe-url", "", referrerUrl);
+testReferrerAfterRedirection("Downgrade, empty redirect header, no-referrer-when-downgrade init ", redirectUrl, httpLocationUrl, "no-referrer-when-downgrade", "", null);
+testReferrerAfterRedirection("Downgrade, empty redirect header, same-origin init ", redirectUrl, httpLocationUrl, "same-origin", "", null);
+testReferrerAfterRedirection("Downgrade, empty redirect header, origin init ", redirectUrl, httpLocationUrl, "origin", "", referrerOrigin);
+testReferrerAfterRedirection("Downgrade, empty redirect header, origin-when-cross-origin init ", redirectUrl, httpLocationUrl, "origin-when-cross-origin", "", referrerOrigin);
+testReferrerAfterRedirection("Downgrade, empty redirect header, no-referrer init ", redirectUrl, httpLocationUrl, "no-referrer", "", null);
+testReferrerAfterRedirection("Downgrade, empty redirect header, strict-origin init ", redirectUrl, httpLocationUrl, "strict-origin", "", null);
+testReferrerAfterRedirection("Downgrade, empty redirect header, strict-origin-when-cross-origin init ", redirectUrl, httpLocationUrl, "strict-origin-when-cross-origin", "", null);
+
+
diff --git a/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer.https.html b/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer.https.html
new file mode 100644
index 0000000000..bcd24892e2
--- /dev/null
+++ b/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer.https.html
@@ -0,0 +1,18 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Fetch: redirect referrer handling, mixed content</title>
+    <meta name="author" title="Canon Research France" href="https://www.crf.canon.fr">
+    <meta name="help" href="https://fetch.spec.whatwg.org/#main-fetch">
+    <meta name="help" href="https://fetch.spec.whatwg.org/#http-redirect-fetch">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <script src="/common/utils.js"></script>
+    <script src="/fetch/api/resources/utils.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="redirect-referrer-mixed-content.js"></script>
+  </body>
+</html>
diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/content-range.sub.window.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/content-range.sub.window.js
new file mode 100644
index 0000000000..e6fe872719
--- /dev/null
+++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/content-range.sub.window.js
@@ -0,0 +1,19 @@
+// META: script=/fetch/orb/resources/utils.js
+// META: script=resources/utils.js
+
+const url =
+  "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/image.png";
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(
+    url,
+    { headers: new Headers([["Range", "bytes 10-99"]]) },
+    header("Content-Range", "bytes 10-99/1010"),
+    "slice(10,100)",
+    "status(206)"
+  ),
+  "ORB should filter opaque range of image/png not starting at zero, that isn't subsequent"
+);
diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/testing/web-platform/mozilla/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
new file mode 100644
index 0000000000..d5ab1a4cd7
--- /dev/null
+++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
@@ -0,0 +1,43 @@
+<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their
+  MIME type is covered by ORB and 2) allowed otherwise.
+
+  This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html,
+  except that it focuses on MIME types relevant to ORB.
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+  var passes = [
+    // These are exceptions that allow more MIME types than the ORB spec does.
+    // This is due to web compat, but might be removed in the future.
+    // See Bug 1828375
+    "application/dash+xml",
+    "application/vnd.apple.mpegurl",
+    "audio/mpegurl",
+    "audio/mpeg",
+    "text/vtt",
+  ]
+
+  const get_url = (mime) => {
+    // www1 is cross-origin, so the HTTP response is ORB-eligible -->
+    url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+    url = url + "/fetch/nosniff/resources/image.py"
+    if (mime != null) {
+      url += "?type=" + encodeURIComponent(mime)
+    }
+    return url
+  }
+
+  passes.forEach(function (mime) {
+    async_test(function (t) {
+      var img = document.createElement("img")
+      img.onerror = t.unreached_func("Unexpected error event")
+      img.onload = t.step_func_done(function () {
+        assert_equals(img.width, 96)
+      })
+      img.src = get_url(mime)
+      document.body.appendChild(img)
+    }, "ORB should allow the response if Content-Type is: '" + mime + "'.  ")
+  })
+</script>
diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/known-mime-type.sub.window.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/known-mime-type.sub.window.js
new file mode 100644
index 0000000000..1779b8ddfc
--- /dev/null
+++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/known-mime-type.sub.window.js
@@ -0,0 +1,48 @@
+// META: script=/fetch/orb/resources/utils.js
+// META: script=resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(`${path}/font.ttf`, null, contentType("font/ttf")),
+  "ORB should filter opaque font/ttf"
+);
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(`${path}/text.txt`, null, contentType("text/plain")),
+  "ORB should filter opaque text/plain"
+);
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(`${path}/data.json`, null, contentType("application/json")),
+  "ORB should filter opaque application/json (non-empty)"
+);
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(`${path}/empty.json`, null, contentType("application/json")),
+  "ORB should filter opaque application/json (empty)"
+);
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(
+    `${path}/data_non_ascii.json`,
+    null,
+    contentType("application/json")
+  ),
+  "ORB should filter opaque application/json which contains non ascii characters"
+);
diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/nosniff.sub.window.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/nosniff.sub.window.js
new file mode 100644
index 0000000000..7468921b30
--- /dev/null
+++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/nosniff.sub.window.js
@@ -0,0 +1,44 @@
+// META: script=/fetch/orb/resources/utils.js
+// META: script=resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+// This is an exception that allow more MIME types than the ORB spec does.
+// This is due to web compatibility, but might be removed in the future.
+// See Bug 1828375
+promise_test(
+  async () =>
+    await fetchORB(
+      `${path}/text.txt`,
+      null,
+      contentType("text/plain"),
+      contentTypeOptions("nosniff")
+    ),
+  "ORB shouldn't block opaque text/plain with nosniff"
+);
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(
+    `${path}/data.json`,
+    null,
+    contentType("application/json"),
+    contentTypeOptions("nosniff")
+  ),
+  "ORB should filter opaque-response-blocklisted MIME type with nosniff"
+);
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(
+    `${path}/data.json`,
+    null,
+    contentType(""),
+    contentTypeOptions("nosniff")
+  ),
+  "ORB should filter opaque response with empty Content-Type and nosniff"
+);
diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/resources/utils.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/resources/utils.js
new file mode 100644
index 0000000000..b4f63b4416
--- /dev/null
+++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/resources/utils.js
@@ -0,0 +1,21 @@
+function promise_internal_response_is_filtered(fetchPromise, message) {
+  return promise_test(async () => {
+    const response = await fetchPromise;
+
+    // A parent filtered opaque response is defined here as a response that isn't just an
+    // opaque response, but also where the internal response has been made unavailable.
+    // `Response.cloneUnfiltered` is used to inspect the state of the internal response,
+    // which is exactly what we want to be missing in this case.
+    const unfiltered = SpecialPowers.wrap(response).cloneUnfiltered();
+    assert_equals(
+      await SpecialPowers.unwrap(unfiltered).text(),
+      "",
+      "The internal response should be empty"
+    );
+    assert_equals(
+      Array.from(await SpecialPowers.unwrap(unfiltered).headers).length,
+      0,
+      "The internal response should have no headers"
+    );
+  }, message);
+}
diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/status.sub.window.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/status.sub.window.js
new file mode 100644
index 0000000000..902759b63a
--- /dev/null
+++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/status.sub.window.js
@@ -0,0 +1,30 @@
+// META: script=/fetch/orb/resources/utils.js
+// META: script=resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(
+    `${path}/data.json`,
+    null,
+    contentType("application/json"),
+    "status(206)"
+  ),
+  "ORB should filter opaque-response-blocklisted MIME type with status 206"
+);
+
+// Due to web compatibility we filter opaque Response object from the
+// fetch() function in the Fetch specification. See Bug 1823877. This
+// might be removed in the future.
+promise_internal_response_is_filtered(
+  fetchORB(
+    `${path}/data.json`,
+    null,
+    contentType("application/json"),
+    "status(302)"
+  ),
+  "ORB should filter opaque range of image/png not starting at zero, that isn't subsequent"
+);