summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/fetch/orb
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/fetch/orb')
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/data.json3
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/font.ttfbin0 -> 2528 bytes
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/image.pngbin0 -> 1010 bytes
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js1
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.pngbin0 -> 1010 bytes
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers1
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/png-unlabeled.pngbin0 -> 1010 bytes
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/script.js4
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/sound.mp3bin0 -> 539 bytes
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/text.txt1
-rw-r--r--testing/web-platform/tests/fetch/orb/resources/utils.js18
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html20
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js31
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html126
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html5
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html7
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html5
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html7
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js41
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js59
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html24
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html24
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js33
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/status.sub.html17
-rw-r--r--testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js28
25 files changed, 455 insertions, 0 deletions
diff --git a/testing/web-platform/tests/fetch/orb/resources/data.json b/testing/web-platform/tests/fetch/orb/resources/data.json
new file mode 100644
index 0000000000..f2a886f39d
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/data.json
@@ -0,0 +1,3 @@
+{
+ "hello": "world"
+}
diff --git a/testing/web-platform/tests/fetch/orb/resources/font.ttf b/testing/web-platform/tests/fetch/orb/resources/font.ttf
new file mode 100644
index 0000000000..9023592ef5
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/font.ttf
Binary files differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/image.png b/testing/web-platform/tests/fetch/orb/resources/image.png
new file mode 100644
index 0000000000..820f8cace2
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/image.png
Binary files differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js
new file mode 100644
index 0000000000..a880a5bc72
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js
@@ -0,0 +1 @@
+window.has_executed_script = true;
diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png
new file mode 100644
index 0000000000..820f8cace2
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png
Binary files differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers
new file mode 100644
index 0000000000..156209f9c8
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers
@@ -0,0 +1 @@
+Content-Type: text/html
diff --git a/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png
new file mode 100644
index 0000000000..820f8cace2
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png
Binary files differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/script.js b/testing/web-platform/tests/fetch/orb/resources/script.js
new file mode 100644
index 0000000000..19675d25d8
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/script.js
@@ -0,0 +1,4 @@
+"use strict";
+function fn() {
+ return 42;
+}
diff --git a/testing/web-platform/tests/fetch/orb/resources/sound.mp3 b/testing/web-platform/tests/fetch/orb/resources/sound.mp3
new file mode 100644
index 0000000000..a15d1de328
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/sound.mp3
Binary files differ
diff --git a/testing/web-platform/tests/fetch/orb/resources/text.txt b/testing/web-platform/tests/fetch/orb/resources/text.txt
new file mode 100644
index 0000000000..270c611ee7
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/text.txt
@@ -0,0 +1 @@
+hello, world!
diff --git a/testing/web-platform/tests/fetch/orb/resources/utils.js b/testing/web-platform/tests/fetch/orb/resources/utils.js
new file mode 100644
index 0000000000..94a2177f07
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/resources/utils.js
@@ -0,0 +1,18 @@
+function header(name, value) {
+ return `header(${name},${value})`;
+}
+
+function contentType(type) {
+ return header("Content-Type", type);
+}
+
+function contentTypeOptions(type) {
+ return header("X-Content-Type-Options", type);
+}
+
+function fetchORB(file, options, ...pipe) {
+ return fetch(`${file}${pipe.length ? `?pipe=${pipe.join("|")}` : ""}`, {
+ ...(options || {}),
+ mode: "no-cors",
+ });
+}
diff --git a/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html
new file mode 100644
index 0000000000..38e70c69ad
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html
@@ -0,0 +1,20 @@
+<!-- Test verifies that compressed images should not be blocked
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+async_test(function(t) {
+ let url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+ url = url + "/fetch/orb/resources/png-unlabeled.png?pipe=gzip"
+
+ const img = document.createElement("img");
+ img.src = url;
+ img.onerror = t.unreached_func("Unexpected error event")
+ img.onload = t.step_func_done(function () {
+ assert_true(true);
+ })
+ document.body.appendChild(img)
+}, "ORB shouldn't block compressed images");
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js
new file mode 100644
index 0000000000..ee97521a55
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js
@@ -0,0 +1,31 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const url =
+ "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/image.png";
+
+promise_test(async () => {
+ let headers = new Headers([["Range", "bytes=0-99"]]);
+ await fetchORB(
+ url,
+ { headers },
+ header("Content-Range", "bytes 0-99/1010"),
+ "slice(null,100)",
+ "status(206)"
+ );
+}, "ORB shouldn't block opaque range of image/png starting at zero");
+
+promise_test(
+ t =>
+ promise_rejects_js(
+ t,
+ TypeError,
+ fetchORB(
+ url,
+ { headers: new Headers([["Range", "bytes 10-99"]]) },
+ header("Content-Range", "bytes 10-99/1010"),
+ "slice(10,100)",
+ "status(206)"
+ )
+ ),
+ "ORB should block opaque range of image/png not starting at zero, that isn't subsequent"
+);
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
new file mode 100644
index 0000000000..5dc6c5d63a
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html
@@ -0,0 +1,126 @@
+<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their
+ MIME type is covered by ORB and 2) allowed otherwise.
+
+ This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html,
+ except that it focuses on MIME types relevant to ORB.
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+ var passes = [
+ // ORB safelisted MIME-types - i.e. ones covered by:
+ // - https://github.com/annevk/orb
+
+ "text/css",
+ "image/svg+xml",
+
+ // JavaScript MIME types
+ "application/ecmascript",
+ "application/javascript",
+ "application/x-ecmascript",
+ "application/x-javascript",
+ "text/ecmascript",
+ "text/javascript",
+ "text/javascript1.0",
+ "text/javascript1.1",
+ "text/javascript1.2",
+ "text/javascript1.3",
+ "text/javascript1.4",
+ "text/javascript1.5",
+ "text/jscript",
+ "text/livescript",
+ "text/x-ecmascript",
+ "text/x-javascript",
+ ]
+
+ var fails = [
+ // ORB blocklisted MIME-types - i.e. ones covered by:
+ // - https://github.com/annevk/orb
+
+ "text/html",
+
+ // JSON MIME type
+ "application/json",
+ "text/json",
+ "application/ld+json",
+
+ // XML MIME type
+ "text/xml",
+ "application/xml",
+ "application/xhtml+xml",
+
+ "application/dash+xml",
+ "application/gzip",
+ "application/msexcel",
+ "application/mspowerpoint",
+ "application/msword",
+ "application/msword-template",
+ "application/pdf",
+ "application/vnd.apple.mpegurl",
+ "application/vnd.ces-quickpoint",
+ "application/vnd.ces-quicksheet",
+ "application/vnd.ces-quickword",
+ "application/vnd.ms-excel",
+ "application/vnd.ms-excel.sheet.macroenabled.12",
+ "application/vnd.ms-powerpoint",
+ "application/vnd.ms-powerpoint.presentation.macroenabled.12",
+ "application/vnd.ms-word",
+ "application/vnd.ms-word.document.12",
+ "application/vnd.ms-word.document.macroenabled.12",
+ "application/vnd.msword",
+ "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+ "application/vnd.openxmlformats-officedocument.presentationml.template",
+ "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+ "application/vnd.openxmlformats-officedocument.spreadsheetml.template",
+ "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+ "application/vnd.openxmlformats-officedocument.wordprocessingml.template",
+ "application/vnd.presentation-openxml",
+ "application/vnd.presentation-openxmlm",
+ "application/vnd.spreadsheet-openxml",
+ "application/vnd.wordprocessing-openxml",
+ "application/x-gzip",
+ "application/x-protobuf",
+ "application/x-protobuffer",
+ "application/zip",
+ "audio/mpegurl",
+ "multipart/byteranges",
+ "multipart/signed",
+ "text/event-stream",
+ "text/csv",
+ "text/vtt",
+]
+
+ const get_url = (mime) => {
+ // www1 is cross-origin, so the HTTP response is ORB-eligible -->
+ url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+ url = url + "/fetch/nosniff/resources/image.py"
+ if (mime != null) {
+ url += "?type=" + encodeURIComponent(mime)
+ }
+ return url
+ }
+
+ passes.forEach(function (mime) {
+ async_test(function (t) {
+ var img = document.createElement("img")
+ img.onerror = t.unreached_func("Unexpected error event")
+ img.onload = t.step_func_done(function () {
+ assert_equals(img.width, 96)
+ })
+ img.src = get_url(mime)
+ document.body.appendChild(img)
+ }, "ORB should allow the response if Content-Type is: '" + mime + "'. ")
+ })
+
+ fails.forEach(function (mime) {
+ async_test(function (t) {
+ var img = document.createElement("img")
+ img.onerror = t.step_func_done()
+ img.onload = t.unreached_func("Unexpected load event")
+ img.src = get_url(mime)
+ document.body.appendChild(img)
+ }, "ORB should block the response if Content-Type is: '" + mime + "'. ")
+ })
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html
new file mode 100644
index 0000000000..66462fb5e3
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<!-- Same-origin, so the HTTP response is not ORB-eligible. -->
+<img src="../resources/png-mislabeled-as-html.png">
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html
new file mode 100644
index 0000000000..aa03f4db63
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<!-- Test verifies that ORB allows an mislabeled cross-origin image after sniffing. -->
+<meta charset="utf-8">
+<!-- Reference page uses same-origin resources, which are not ORB-eligible. -->
+<link rel="match" href="img-png-mislabeled-as-html.sub-ref.html">
+<!-- www1 is cross-origin, so the HTTP response is ORB-eligible -->
+<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-mislabeled-as-html.png">
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html
new file mode 100644
index 0000000000..2d5e3bb8b5
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<!-- Same-origin, so the HTTP response is not ORB-eligible. -->
+<img src="../resources/png-unlabeled.png">
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html
new file mode 100644
index 0000000000..77415f6af1
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<!-- Test verifies that ORB allows an unlabeled cross-origin image after sniffing. -->
+<meta charset="utf-8">
+<!-- Reference page uses same-origin resources, which are not ORB-eligible. -->
+<link rel="match" href="img-png-unlabeled.sub-ref.html">
+<!-- www1 is cross-origin, so the HTTP response is ORB-eligible -->
+<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-unlabeled.png">
diff --git a/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js
new file mode 100644
index 0000000000..a7bb663058
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js
@@ -0,0 +1,41 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+ t =>
+ promise_rejects_js(
+ t,
+ TypeError,
+ fetchORB(`${path}/font.ttf`, null, contentType("font/ttf"))
+ ),
+ "ORB should block opaque font/ttf"
+);
+
+promise_test(
+ t =>
+ promise_rejects_js(
+ t,
+ TypeError,
+ fetchORB(`${path}/text.txt`, null, contentType("text/plain"))
+ ),
+ "ORB should block opaque text/plain"
+);
+
+promise_test(
+ t =>
+ promise_rejects_js(
+ t,
+ TypeError,
+ fetchORB(`${path}/data.json`, null, contentType("application/json"))
+ ),
+ "ORB should block opaque application/json"
+);
+
+promise_test(async () => {
+ fetchORB(`${path}/image.png`, null, contentType("image/png"));
+}, "ORB shouldn't block opaque image/png");
+
+promise_test(async () => {
+ await fetchORB(`${path}/script.js`, null, contentType("text/javascript"));
+}, "ORB shouldn't block opaque text/javascript");
diff --git a/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js
new file mode 100644
index 0000000000..3df9d22e0b
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js
@@ -0,0 +1,59 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+ t =>
+ promise_rejects_js(
+ t,
+ TypeError,
+ fetchORB(
+ `${path}/text.txt`,
+ null,
+ contentType("text/plain"),
+ contentTypeOptions("nosniff")
+ )
+ ),
+ "ORB should block opaque text/plain with nosniff"
+);
+
+promise_test(
+ t =>
+ promise_rejects_js(
+ t,
+ TypeError,
+ fetchORB(
+ `${path}/data.json`,
+ null,
+ contentType("application/json"),
+ contentTypeOptions("nosniff")
+ )
+ ),
+ "ORB should block opaque-response-blocklisted MIME type with nosniff"
+);
+
+promise_test(
+ t =>
+ promise_rejects_js(
+ t,
+ TypeError,
+ fetchORB(
+ `${path}/data.json`,
+ null,
+ contentType(""),
+ contentTypeOptions("nosniff")
+ )
+ ),
+ "ORB should block opaque response with empty Content-Type and nosniff"
+);
+
+promise_test(
+ () =>
+ fetchORB(
+ `${path}/image.png`,
+ null,
+ contentType(""),
+ contentTypeOptions("nosniff")
+ ),
+ "ORB shouldn't block opaque image with empty Content-Type and nosniff"
+);
diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html
new file mode 100644
index 0000000000..fe85440798
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<!-- Test verifies that gziped script which parses as Javascript (not JSON) without Content-Type will execute with ORB. -->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js?pipe=gzip|header(Content-Type,)">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+ 'The cross-origin script should execute');
+done();
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html
new file mode 100644
index 0000000000..4987f1307e
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<!-- Test verifies that script which parses as Javascript (not JSON) without Content-Type will execute with ORB. -->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+
+<script>
+setup({ single_test: true });
+window.has_executed_script = false;
+</script>
+
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js">
+</script>
+
+<script>
+// Verify what observable effects the <script> tag above had.
+// Assertion should hold with and without ORB:
+assert_true(window.has_executed_script,
+ 'The cross-origin script should execute');
+done();
+</script>
+
diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js
new file mode 100644
index 0000000000..b94d8b7f63
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js
@@ -0,0 +1,33 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+ t =>
+ promise_rejects_js(
+ t,
+ TypeError,
+ fetchORB(
+ `${path}/data.json`,
+ null,
+ contentType("application/json"),
+ "status(206)"
+ )
+ ),
+ "ORB should block opaque-response-blocklisted MIME type with status 206"
+);
+
+promise_test(
+ t =>
+ promise_rejects_js(
+ t,
+ TypeError,
+ fetchORB(
+ `${path}/data.json`,
+ null,
+ contentType("application/json"),
+ "status(302)"
+ )
+ ),
+ "ORB should block opaque response with non-ok status"
+);
diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.html b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html
new file mode 100644
index 0000000000..a62bdeb35e
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html
@@ -0,0 +1,17 @@
+'use strict';
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<div id=log></div>
+<script>
+async_test(function(t) {
+ let url = "http://{{domains[www1]}}:{{ports[http][0]}}"
+ url = `${url}/fetch/orb/resources/sound.mp3?pipe=status(301)|header(Content-Type,)`
+
+ const video = document.createElement("video");
+ video.src = url;
+ video.onerror = t.step_func_done();
+ video.onload = t.unreached_func("Unexpected error event");
+ document.body.appendChild(video);
+}, "ORB should block initial media requests with status not 200 or 206");
+</script>
diff --git a/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js
new file mode 100644
index 0000000000..f72ff928ad
--- /dev/null
+++ b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js
@@ -0,0 +1,28 @@
+// META: script=/fetch/orb/resources/utils.js
+
+const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";
+
+promise_test(
+ () => fetchORB(`${path}/font.ttf`, null, contentType("")),
+ "ORB shouldn't block opaque failed missing MIME type (font/ttf)"
+);
+
+promise_test(
+ () => fetchORB(`${path}/text.txt`, null, contentType("")),
+ "ORB shouldn't block opaque failed missing MIME type (text/plain)"
+);
+
+promise_test(
+ t => fetchORB(`${path}/data.json`, null, contentType("")),
+ "ORB shouldn't block opaque failed missing MIME type (application/json)"
+);
+
+promise_test(
+ () => fetchORB(`${path}/image.png`, null, contentType("")),
+ "ORB shouldn't block opaque failed missing MIME type (image/png)"
+);
+
+promise_test(
+ () => fetchORB(`${path}/script.js`, null, contentType("")),
+ "ORB shouldn't block opaque failed missing MIME type (text/javascript)"
+);