diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /testing/web-platform/mozilla/tests/fetch | |
parent | Initial commit. (diff) | |
download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/mozilla/tests/fetch')
8 files changed, 274 insertions, 0 deletions
diff --git a/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer-mixed-content.js b/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer-mixed-content.js new file mode 100644 index 0000000000..ad59904fd9 --- /dev/null +++ b/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer-mixed-content.js @@ -0,0 +1,51 @@ +if (this.document === undefined) { + importScripts("/common/utils.js"); + importScripts("/resources/testharness.js"); + importScripts("/fetch/api/resources/utils.js"); + importScripts("/common/get-host-info.sub.js"); +} + +function testReferrerAfterRedirection(desc, redirectUrl, redirectLocation, referrerPolicy, redirectReferrerPolicy, expectedReferrer) { + var url = redirectUrl; + var urlParameters = "?location=" + encodeURIComponent(redirectLocation); + + if (redirectReferrerPolicy) + urlParameters += "&redirect_referrerpolicy=" + redirectReferrerPolicy; + + var requestInit = {"redirect": "follow", "referrerPolicy": referrerPolicy}; + + promise_test(function(test) { + return fetch(url + urlParameters, requestInit).then(function(response) { + assert_equals(response.status, 200, "Inspect header response's status is 200"); + assert_equals(response.headers.get("x-request-referer"), expectedReferrer ? expectedReferrer : null, "Check referrer header"); + }); + }, desc); +} + +var referrerOrigin = get_host_info().HTTPS_ORIGIN + "/"; +var referrerUrl = location.href; + +var RESOURCES_DIR = "/fetch/api/resources/"; +var redirectUrl = RESOURCES_DIR + "redirect.py"; +var locationUrl = get_host_info().HTTPS_ORIGIN + RESOURCES_DIR + "inspect-headers.py?headers=referer"; +var httpLocationUrl = get_host_info().HTTP_REMOTE_ORIGIN + RESOURCES_DIR + "inspect-headers.py?cors&headers=referer"; + +testReferrerAfterRedirection("Downgrade, empty init, unsafe-url redirect header ", redirectUrl, httpLocationUrl, "", "unsafe-url", referrerUrl); +testReferrerAfterRedirection("Downgrade, empty init, no-referrer-when-downgrade redirect header ", redirectUrl, httpLocationUrl, "", "no-referrer-when-downgrade", null); +testReferrerAfterRedirection("Downgrade, empty init, same-origin redirect header ", redirectUrl, httpLocationUrl, "", "same-origin", null); +testReferrerAfterRedirection("Downgrade, empty init, origin redirect header ", redirectUrl, httpLocationUrl, "", "origin", referrerOrigin); +testReferrerAfterRedirection("Downgrade, empty init, origin-when-cross-origin redirect header ", redirectUrl, httpLocationUrl, "", "origin-when-cross-origin", referrerOrigin); +testReferrerAfterRedirection("Downgrade, empty init, no-referrer redirect header ", redirectUrl, httpLocationUrl, "", "no-referrer", null); +testReferrerAfterRedirection("Downgrade, empty init, strict-origin redirect header ", redirectUrl, httpLocationUrl, "", "strict-origin", null); +testReferrerAfterRedirection("Downgrade, empty init, strict-origin-when-cross-origin redirect header ", redirectUrl, httpLocationUrl, "", "strict-origin-when-cross-origin", null); + +testReferrerAfterRedirection("Downgrade, empty redirect header, unsafe-url init ", redirectUrl, httpLocationUrl, "unsafe-url", "", referrerUrl); +testReferrerAfterRedirection("Downgrade, empty redirect header, no-referrer-when-downgrade init ", redirectUrl, httpLocationUrl, "no-referrer-when-downgrade", "", null); +testReferrerAfterRedirection("Downgrade, empty redirect header, same-origin init ", redirectUrl, httpLocationUrl, "same-origin", "", null); +testReferrerAfterRedirection("Downgrade, empty redirect header, origin init ", redirectUrl, httpLocationUrl, "origin", "", referrerOrigin); +testReferrerAfterRedirection("Downgrade, empty redirect header, origin-when-cross-origin init ", redirectUrl, httpLocationUrl, "origin-when-cross-origin", "", referrerOrigin); +testReferrerAfterRedirection("Downgrade, empty redirect header, no-referrer init ", redirectUrl, httpLocationUrl, "no-referrer", "", null); +testReferrerAfterRedirection("Downgrade, empty redirect header, strict-origin init ", redirectUrl, httpLocationUrl, "strict-origin", "", null); +testReferrerAfterRedirection("Downgrade, empty redirect header, strict-origin-when-cross-origin init ", redirectUrl, httpLocationUrl, "strict-origin-when-cross-origin", "", null); + + diff --git a/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer.https.html b/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer.https.html new file mode 100644 index 0000000000..bcd24892e2 --- /dev/null +++ b/testing/web-platform/mozilla/tests/fetch/api/redirect/redirect-referrer.https.html @@ -0,0 +1,18 @@ +<!doctype html> +<html> + <head> + <meta charset="utf-8"> + <title>Fetch: redirect referrer handling, mixed content</title> + <meta name="author" title="Canon Research France" href="https://www.crf.canon.fr"> + <meta name="help" href="https://fetch.spec.whatwg.org/#main-fetch"> + <meta name="help" href="https://fetch.spec.whatwg.org/#http-redirect-fetch"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + </head> + <body> + <script src="/common/utils.js"></script> + <script src="/fetch/api/resources/utils.js"></script> + <script src="/common/get-host-info.sub.js"></script> + <script src="redirect-referrer-mixed-content.js"></script> + </body> +</html> diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/content-range.sub.window.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/content-range.sub.window.js new file mode 100644 index 0000000000..e6fe872719 --- /dev/null +++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/content-range.sub.window.js @@ -0,0 +1,19 @@ +// META: script=/fetch/orb/resources/utils.js +// META: script=resources/utils.js + +const url = + "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/image.png"; + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB( + url, + { headers: new Headers([["Range", "bytes 10-99"]]) }, + header("Content-Range", "bytes 10-99/1010"), + "slice(10,100)", + "status(206)" + ), + "ORB should filter opaque range of image/png not starting at zero, that isn't subsequent" +); diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/testing/web-platform/mozilla/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html new file mode 100644 index 0000000000..d5ab1a4cd7 --- /dev/null +++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html @@ -0,0 +1,43 @@ +<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their + MIME type is covered by ORB and 2) allowed otherwise. + + This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html, + except that it focuses on MIME types relevant to ORB. +--> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + var passes = [ + // These are exceptions that allow more MIME types than the ORB spec does. + // This is due to web compat, but might be removed in the future. + // See Bug 1828375 + "application/dash+xml", + "application/vnd.apple.mpegurl", + "audio/mpegurl", + "audio/mpeg", + "text/vtt", + ] + + const get_url = (mime) => { + // www1 is cross-origin, so the HTTP response is ORB-eligible --> + url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = url + "/fetch/nosniff/resources/image.py" + if (mime != null) { + url += "?type=" + encodeURIComponent(mime) + } + return url + } + + passes.forEach(function (mime) { + async_test(function (t) { + var img = document.createElement("img") + img.onerror = t.unreached_func("Unexpected error event") + img.onload = t.step_func_done(function () { + assert_equals(img.width, 96) + }) + img.src = get_url(mime) + document.body.appendChild(img) + }, "ORB should allow the response if Content-Type is: '" + mime + "'. ") + }) +</script> diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/known-mime-type.sub.window.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/known-mime-type.sub.window.js new file mode 100644 index 0000000000..1779b8ddfc --- /dev/null +++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/known-mime-type.sub.window.js @@ -0,0 +1,48 @@ +// META: script=/fetch/orb/resources/utils.js +// META: script=resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB(`${path}/font.ttf`, null, contentType("font/ttf")), + "ORB should filter opaque font/ttf" +); + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB(`${path}/text.txt`, null, contentType("text/plain")), + "ORB should filter opaque text/plain" +); + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB(`${path}/data.json`, null, contentType("application/json")), + "ORB should filter opaque application/json (non-empty)" +); + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB(`${path}/empty.json`, null, contentType("application/json")), + "ORB should filter opaque application/json (empty)" +); + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB( + `${path}/data_non_ascii.json`, + null, + contentType("application/json") + ), + "ORB should filter opaque application/json which contains non ascii characters" +); diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/nosniff.sub.window.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/nosniff.sub.window.js new file mode 100644 index 0000000000..7468921b30 --- /dev/null +++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/nosniff.sub.window.js @@ -0,0 +1,44 @@ +// META: script=/fetch/orb/resources/utils.js +// META: script=resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +// This is an exception that allow more MIME types than the ORB spec does. +// This is due to web compatibility, but might be removed in the future. +// See Bug 1828375 +promise_test( + async () => + await fetchORB( + `${path}/text.txt`, + null, + contentType("text/plain"), + contentTypeOptions("nosniff") + ), + "ORB shouldn't block opaque text/plain with nosniff" +); + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB( + `${path}/data.json`, + null, + contentType("application/json"), + contentTypeOptions("nosniff") + ), + "ORB should filter opaque-response-blocklisted MIME type with nosniff" +); + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB( + `${path}/data.json`, + null, + contentType(""), + contentTypeOptions("nosniff") + ), + "ORB should filter opaque response with empty Content-Type and nosniff" +); diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/resources/utils.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/resources/utils.js new file mode 100644 index 0000000000..b4f63b4416 --- /dev/null +++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/resources/utils.js @@ -0,0 +1,21 @@ +function promise_internal_response_is_filtered(fetchPromise, message) { + return promise_test(async () => { + const response = await fetchPromise; + + // A parent filtered opaque response is defined here as a response that isn't just an + // opaque response, but also where the internal response has been made unavailable. + // `Response.cloneUnfiltered` is used to inspect the state of the internal response, + // which is exactly what we want to be missing in this case. + const unfiltered = SpecialPowers.wrap(response).cloneUnfiltered(); + assert_equals( + await SpecialPowers.unwrap(unfiltered).text(), + "", + "The internal response should be empty" + ); + assert_equals( + Array.from(await SpecialPowers.unwrap(unfiltered).headers).length, + 0, + "The internal response should have no headers" + ); + }, message); +} diff --git a/testing/web-platform/mozilla/tests/fetch/orb/tentative/status.sub.window.js b/testing/web-platform/mozilla/tests/fetch/orb/tentative/status.sub.window.js new file mode 100644 index 0000000000..902759b63a --- /dev/null +++ b/testing/web-platform/mozilla/tests/fetch/orb/tentative/status.sub.window.js @@ -0,0 +1,30 @@ +// META: script=/fetch/orb/resources/utils.js +// META: script=resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB( + `${path}/data.json`, + null, + contentType("application/json"), + "status(206)" + ), + "ORB should filter opaque-response-blocklisted MIME type with status 206" +); + +// Due to web compatibility we filter opaque Response object from the +// fetch() function in the Fetch specification. See Bug 1823877. This +// might be removed in the future. +promise_internal_response_is_filtered( + fetchORB( + `${path}/data.json`, + null, + contentType("application/json"), + "status(302)" + ), + "ORB should filter opaque range of image/png not starting at zero, that isn't subsequent" +); |