diff options
Diffstat (limited to 'testing/web-platform/tests/fetch/orb')
25 files changed, 455 insertions, 0 deletions
diff --git a/testing/web-platform/tests/fetch/orb/resources/data.json b/testing/web-platform/tests/fetch/orb/resources/data.json new file mode 100644 index 0000000000..f2a886f39d --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/data.json @@ -0,0 +1,3 @@ +{ + "hello": "world" +} diff --git a/testing/web-platform/tests/fetch/orb/resources/font.ttf b/testing/web-platform/tests/fetch/orb/resources/font.ttf Binary files differnew file mode 100644 index 0000000000..9023592ef5 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/font.ttf diff --git a/testing/web-platform/tests/fetch/orb/resources/image.png b/testing/web-platform/tests/fetch/orb/resources/image.png Binary files differnew file mode 100644 index 0000000000..820f8cace2 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/image.png diff --git a/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js new file mode 100644 index 0000000000..a880a5bc72 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/js-unlabeled.js @@ -0,0 +1 @@ +window.has_executed_script = true; diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png Binary files differnew file mode 100644 index 0000000000..820f8cace2 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png diff --git a/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers new file mode 100644 index 0000000000..156209f9c8 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/png-mislabeled-as-html.png.headers @@ -0,0 +1 @@ +Content-Type: text/html diff --git a/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png Binary files differnew file mode 100644 index 0000000000..820f8cace2 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/png-unlabeled.png diff --git a/testing/web-platform/tests/fetch/orb/resources/script.js b/testing/web-platform/tests/fetch/orb/resources/script.js new file mode 100644 index 0000000000..19675d25d8 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/script.js @@ -0,0 +1,4 @@ +"use strict"; +function fn() { + return 42; +} diff --git a/testing/web-platform/tests/fetch/orb/resources/sound.mp3 b/testing/web-platform/tests/fetch/orb/resources/sound.mp3 Binary files differnew file mode 100644 index 0000000000..a15d1de328 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/sound.mp3 diff --git a/testing/web-platform/tests/fetch/orb/resources/text.txt b/testing/web-platform/tests/fetch/orb/resources/text.txt new file mode 100644 index 0000000000..270c611ee7 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/text.txt @@ -0,0 +1 @@ +hello, world! diff --git a/testing/web-platform/tests/fetch/orb/resources/utils.js b/testing/web-platform/tests/fetch/orb/resources/utils.js new file mode 100644 index 0000000000..94a2177f07 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/resources/utils.js @@ -0,0 +1,18 @@ +function header(name, value) { + return `header(${name},${value})`; +} + +function contentType(type) { + return header("Content-Type", type); +} + +function contentTypeOptions(type) { + return header("X-Content-Type-Options", type); +} + +function fetchORB(file, options, ...pipe) { + return fetch(`${file}${pipe.length ? `?pipe=${pipe.join("|")}` : ""}`, { + ...(options || {}), + mode: "no-cors", + }); +} diff --git a/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html new file mode 100644 index 0000000000..38e70c69ad --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/compressed-image-sniffing.sub.html @@ -0,0 +1,20 @@ +<!-- Test verifies that compressed images should not be blocked +--> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> +async_test(function(t) { + let url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = url + "/fetch/orb/resources/png-unlabeled.png?pipe=gzip" + + const img = document.createElement("img"); + img.src = url; + img.onerror = t.unreached_func("Unexpected error event") + img.onload = t.step_func_done(function () { + assert_true(true); + }) + document.body.appendChild(img) +}, "ORB shouldn't block compressed images"); +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js new file mode 100644 index 0000000000..ee97521a55 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/content-range.sub.any.js @@ -0,0 +1,31 @@ +// META: script=/fetch/orb/resources/utils.js + +const url = + "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/image.png"; + +promise_test(async () => { + let headers = new Headers([["Range", "bytes=0-99"]]); + await fetchORB( + url, + { headers }, + header("Content-Range", "bytes 0-99/1010"), + "slice(null,100)", + "status(206)" + ); +}, "ORB shouldn't block opaque range of image/png starting at zero"); + +promise_test( + t => + promise_rejects_js( + t, + TypeError, + fetchORB( + url, + { headers: new Headers([["Range", "bytes 10-99"]]) }, + header("Content-Range", "bytes 10-99/1010"), + "slice(10,100)", + "status(206)" + ) + ), + "ORB should block opaque range of image/png not starting at zero, that isn't subsequent" +); diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html new file mode 100644 index 0000000000..5dc6c5d63a --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html @@ -0,0 +1,126 @@ +<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their + MIME type is covered by ORB and 2) allowed otherwise. + + This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html, + except that it focuses on MIME types relevant to ORB. +--> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + var passes = [ + // ORB safelisted MIME-types - i.e. ones covered by: + // - https://github.com/annevk/orb + + "text/css", + "image/svg+xml", + + // JavaScript MIME types + "application/ecmascript", + "application/javascript", + "application/x-ecmascript", + "application/x-javascript", + "text/ecmascript", + "text/javascript", + "text/javascript1.0", + "text/javascript1.1", + "text/javascript1.2", + "text/javascript1.3", + "text/javascript1.4", + "text/javascript1.5", + "text/jscript", + "text/livescript", + "text/x-ecmascript", + "text/x-javascript", + ] + + var fails = [ + // ORB blocklisted MIME-types - i.e. ones covered by: + // - https://github.com/annevk/orb + + "text/html", + + // JSON MIME type + "application/json", + "text/json", + "application/ld+json", + + // XML MIME type + "text/xml", + "application/xml", + "application/xhtml+xml", + + "application/dash+xml", + "application/gzip", + "application/msexcel", + "application/mspowerpoint", + "application/msword", + "application/msword-template", + "application/pdf", + "application/vnd.apple.mpegurl", + "application/vnd.ces-quickpoint", + "application/vnd.ces-quicksheet", + "application/vnd.ces-quickword", + "application/vnd.ms-excel", + "application/vnd.ms-excel.sheet.macroenabled.12", + "application/vnd.ms-powerpoint", + "application/vnd.ms-powerpoint.presentation.macroenabled.12", + "application/vnd.ms-word", + "application/vnd.ms-word.document.12", + "application/vnd.ms-word.document.macroenabled.12", + "application/vnd.msword", + "application/vnd.openxmlformats-officedocument.presentationml.presentation", + "application/vnd.openxmlformats-officedocument.presentationml.template", + "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "application/vnd.openxmlformats-officedocument.spreadsheetml.template", + "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "application/vnd.openxmlformats-officedocument.wordprocessingml.template", + "application/vnd.presentation-openxml", + "application/vnd.presentation-openxmlm", + "application/vnd.spreadsheet-openxml", + "application/vnd.wordprocessing-openxml", + "application/x-gzip", + "application/x-protobuf", + "application/x-protobuffer", + "application/zip", + "audio/mpegurl", + "multipart/byteranges", + "multipart/signed", + "text/event-stream", + "text/csv", + "text/vtt", +] + + const get_url = (mime) => { + // www1 is cross-origin, so the HTTP response is ORB-eligible --> + url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = url + "/fetch/nosniff/resources/image.py" + if (mime != null) { + url += "?type=" + encodeURIComponent(mime) + } + return url + } + + passes.forEach(function (mime) { + async_test(function (t) { + var img = document.createElement("img") + img.onerror = t.unreached_func("Unexpected error event") + img.onload = t.step_func_done(function () { + assert_equals(img.width, 96) + }) + img.src = get_url(mime) + document.body.appendChild(img) + }, "ORB should allow the response if Content-Type is: '" + mime + "'. ") + }) + + fails.forEach(function (mime) { + async_test(function (t) { + var img = document.createElement("img") + img.onerror = t.step_func_done() + img.onload = t.unreached_func("Unexpected load event") + img.src = get_url(mime) + document.body.appendChild(img) + }, "ORB should block the response if Content-Type is: '" + mime + "'. ") + }) +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html new file mode 100644 index 0000000000..66462fb5e3 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub-ref.html @@ -0,0 +1,5 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<!-- Same-origin, so the HTTP response is not ORB-eligible. --> +<img src="../resources/png-mislabeled-as-html.png"> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html new file mode 100644 index 0000000000..aa03f4db63 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-mislabeled-as-html.sub.html @@ -0,0 +1,7 @@ +<!DOCTYPE html> +<!-- Test verifies that ORB allows an mislabeled cross-origin image after sniffing. --> +<meta charset="utf-8"> +<!-- Reference page uses same-origin resources, which are not ORB-eligible. --> +<link rel="match" href="img-png-mislabeled-as-html.sub-ref.html"> +<!-- www1 is cross-origin, so the HTTP response is ORB-eligible --> +<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-mislabeled-as-html.png"> diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html new file mode 100644 index 0000000000..2d5e3bb8b5 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub-ref.html @@ -0,0 +1,5 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<!-- Same-origin, so the HTTP response is not ORB-eligible. --> +<img src="../resources/png-unlabeled.png"> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html new file mode 100644 index 0000000000..77415f6af1 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/img-png-unlabeled.sub.html @@ -0,0 +1,7 @@ +<!DOCTYPE html> +<!-- Test verifies that ORB allows an unlabeled cross-origin image after sniffing. --> +<meta charset="utf-8"> +<!-- Reference page uses same-origin resources, which are not ORB-eligible. --> +<link rel="match" href="img-png-unlabeled.sub-ref.html"> +<!-- www1 is cross-origin, so the HTTP response is ORB-eligible --> +<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/png-unlabeled.png"> diff --git a/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js new file mode 100644 index 0000000000..a7bb663058 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/known-mime-type.sub.any.js @@ -0,0 +1,41 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +promise_test( + t => + promise_rejects_js( + t, + TypeError, + fetchORB(`${path}/font.ttf`, null, contentType("font/ttf")) + ), + "ORB should block opaque font/ttf" +); + +promise_test( + t => + promise_rejects_js( + t, + TypeError, + fetchORB(`${path}/text.txt`, null, contentType("text/plain")) + ), + "ORB should block opaque text/plain" +); + +promise_test( + t => + promise_rejects_js( + t, + TypeError, + fetchORB(`${path}/data.json`, null, contentType("application/json")) + ), + "ORB should block opaque application/json" +); + +promise_test(async () => { + fetchORB(`${path}/image.png`, null, contentType("image/png")); +}, "ORB shouldn't block opaque image/png"); + +promise_test(async () => { + await fetchORB(`${path}/script.js`, null, contentType("text/javascript")); +}, "ORB shouldn't block opaque text/javascript"); diff --git a/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js new file mode 100644 index 0000000000..3df9d22e0b --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/nosniff.sub.any.js @@ -0,0 +1,59 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +promise_test( + t => + promise_rejects_js( + t, + TypeError, + fetchORB( + `${path}/text.txt`, + null, + contentType("text/plain"), + contentTypeOptions("nosniff") + ) + ), + "ORB should block opaque text/plain with nosniff" +); + +promise_test( + t => + promise_rejects_js( + t, + TypeError, + fetchORB( + `${path}/data.json`, + null, + contentType("application/json"), + contentTypeOptions("nosniff") + ) + ), + "ORB should block opaque-response-blocklisted MIME type with nosniff" +); + +promise_test( + t => + promise_rejects_js( + t, + TypeError, + fetchORB( + `${path}/data.json`, + null, + contentType(""), + contentTypeOptions("nosniff") + ) + ), + "ORB should block opaque response with empty Content-Type and nosniff" +); + +promise_test( + () => + fetchORB( + `${path}/image.png`, + null, + contentType(""), + contentTypeOptions("nosniff") + ), + "ORB shouldn't block opaque image with empty Content-Type and nosniff" +); diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html new file mode 100644 index 0000000000..fe85440798 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/script-js-unlabeled-gziped.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<!-- Test verifies that gziped script which parses as Javascript (not JSON) without Content-Type will execute with ORB. --> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<div id=log></div> + +<script> +setup({ single_test: true }); +window.has_executed_script = false; +</script> + +<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> +<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js?pipe=gzip|header(Content-Type,)"> +</script> + +<script> +// Verify what observable effects the <script> tag above had. +// Assertion should hold with and without ORB: +assert_true(window.has_executed_script, + 'The cross-origin script should execute'); +done(); +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html new file mode 100644 index 0000000000..4987f1307e --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/script-unlabeled.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<!-- Test verifies that script which parses as Javascript (not JSON) without Content-Type will execute with ORB. --> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<div id=log></div> + +<script> +setup({ single_test: true }); +window.has_executed_script = false; +</script> + +<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> +<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources/js-unlabeled.js"> +</script> + +<script> +// Verify what observable effects the <script> tag above had. +// Assertion should hold with and without ORB: +assert_true(window.has_executed_script, + 'The cross-origin script should execute'); +done(); +</script> + diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js new file mode 100644 index 0000000000..b94d8b7f63 --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.any.js @@ -0,0 +1,33 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +promise_test( + t => + promise_rejects_js( + t, + TypeError, + fetchORB( + `${path}/data.json`, + null, + contentType("application/json"), + "status(206)" + ) + ), + "ORB should block opaque-response-blocklisted MIME type with status 206" +); + +promise_test( + t => + promise_rejects_js( + t, + TypeError, + fetchORB( + `${path}/data.json`, + null, + contentType("application/json"), + "status(302)" + ) + ), + "ORB should block opaque response with non-ok status" +); diff --git a/testing/web-platform/tests/fetch/orb/tentative/status.sub.html b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html new file mode 100644 index 0000000000..a62bdeb35e --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/status.sub.html @@ -0,0 +1,17 @@ +'use strict'; + +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> +async_test(function(t) { + let url = "http://{{domains[www1]}}:{{ports[http][0]}}" + url = `${url}/fetch/orb/resources/sound.mp3?pipe=status(301)|header(Content-Type,)` + + const video = document.createElement("video"); + video.src = url; + video.onerror = t.step_func_done(); + video.onload = t.unreached_func("Unexpected error event"); + document.body.appendChild(video); +}, "ORB should block initial media requests with status not 200 or 206"); +</script> diff --git a/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js new file mode 100644 index 0000000000..f72ff928ad --- /dev/null +++ b/testing/web-platform/tests/fetch/orb/tentative/unknown-mime-type.sub.any.js @@ -0,0 +1,28 @@ +// META: script=/fetch/orb/resources/utils.js + +const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources"; + +promise_test( + () => fetchORB(`${path}/font.ttf`, null, contentType("")), + "ORB shouldn't block opaque failed missing MIME type (font/ttf)" +); + +promise_test( + () => fetchORB(`${path}/text.txt`, null, contentType("")), + "ORB shouldn't block opaque failed missing MIME type (text/plain)" +); + +promise_test( + t => fetchORB(`${path}/data.json`, null, contentType("")), + "ORB shouldn't block opaque failed missing MIME type (application/json)" +); + +promise_test( + () => fetchORB(`${path}/image.png`, null, contentType("")), + "ORB shouldn't block opaque failed missing MIME type (image/png)" +); + +promise_test( + () => fetchORB(`${path}/script.js`, null, contentType("")), + "ORB shouldn't block opaque failed missing MIME type (text/javascript)" +); |