1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Resource Timing - test that unsuccessful iframes create entries</title>
<meta name="timeout" content="long">
<link rel="author" title="Google" href="http://www.google.com/" />
<link rel="help" href=
"https://www.w3.org/TR/resource-timing-2/#resources-included-in-the-performanceresourcetiming-interface"/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="resources/entry-invariants.js"></script>
<script src="resources/resource-loaders.js"></script>
<body>
<script>
// Like load.iframe but fetches the iframe under a "default-src 'none'"
// Content-Security-Policy.
const load_iframe_with_csp = async path => {
return load.iframe_with_attrs(path, {"csp": "default-src 'none'"});
};
const load_iframe_with_csp_no_navigation = async path => {
return load.iframe_with_attrs(path, {"csp": "default-src 'none'"}, () => {}, true);
}
// Runs a test (labeled by the given label) to verify that loading an iframe
// with the given URL generates a PerformanceResourceTiming entry and that the
// entry does not expose sensitive timing attributes.
const masked_entry_test = (url, label) => {
return attribute_test(load.iframe, url,
invariants.assert_tao_failure_resource, label);
};
// Runs a test (labeled by the given label) to verify that loading an iframe
// with the given URL generates a PerformanceResourceTiming entry and that the
// entry does expose sensitive timing attributes.
const unmasked_entry_with_csp_test = (url, label) => {
return attribute_test(load_iframe_with_csp, url,
invariants.assert_tao_pass_no_redirect_http, label);
};
// Runs a test (labeled by the given label) to verify that loading an iframe
// with the given URL under a "default-src 'none' Content-Security-Policy
// generates a PerformanceResourceTiming entry and that the entry does not
// expose sensitive timing attributes.
const masked_entry_with_csp_test = (url, label) => {
return attribute_test(load_iframe_with_csp, url,
invariants.assert_tao_failure_resource, label);
};
// Runs a test (labeled by the given label) to verify that loading an iframe
// with the given URL, an empty response body and under a "default-src 'none'
// Content-Security-Policy generates a PerformanceResourceTiming entry and that
// the entry does expose sensitive timing attributes.
const empty_unmasked_entry_with_csp_test = (url, label) => {
return attribute_test(load_iframe_with_csp, url,
invariants.assert_tao_pass_no_redirect_http_empty, label);
};
// Runs a test (labeled by the given label) to verify that loading an iframe
// with the given URL under a "default-src 'none' Content-Security-Policy
// generates a PerformanceResourceTiming entry and that the entry does not
// expose sensitive timing attributes.
const non_navigating_masked_entry_with_csp_test = (url, label) => {
return attribute_test(load_iframe_with_csp_no_navigation, url,
invariants.assert_tao_failure_resource, label);
};
// Runs a test (labeled by the given label) to verify that loading an iframe
// with the given URL, an empty response body and under a "default-src 'none'
// Content-Security-Policy generates a PerformanceResourceTiming entry and that
// the entry does expose sensitive timing attributes.
const non_navigating_empty_unmasked_entry_with_csp_test = (url, label) => {
return attribute_test(load_iframe_with_csp_no_navigation, url,
invariants.assert_tao_pass_no_redirect_http_empty, label);
};
const {REMOTE_ORIGIN, ORIGINAL_HOST, HTTPS_PORT} = get_host_info();
const unhosted_url = `https://nonexistent.${ORIGINAL_HOST}:${HTTPS_PORT}/`;
masked_entry_test(
unhosted_url,
"Test iframe from non-existent host gets reported");
masked_entry_test(
"/resource-timing/resources/fake_responses.py?redirect=" + unhosted_url,
"Test iframe redirecting to non-existent host gets reported");
unmasked_entry_with_csp_test("/resource-timing/resources/csp-default-none.html",
"Same-origin iframe that complies with CSP attribute gets reported");
unmasked_entry_with_csp_test("/resource-timing/resources/green-frame.html",
"Same-origin iframe that doesn't comply with CSP attribute gets reported");
masked_entry_with_csp_test(
new URL("/resource-timing/resources/csp-default-none.html", REMOTE_ORIGIN),
"Cross-origin iframe that complies with CSP attribute gets reported");
masked_entry_with_csp_test(
new URL("/resource-timing/resources/green-frame.html", REMOTE_ORIGIN),
"Cross-origin iframe that doesn't comply with CSP attribute gets reported");
empty_unmasked_entry_with_csp_test(
"/resource-timing/resources/200_empty.asis",
"Same-origin empty iframe with a 200 status gets reported");
masked_entry_with_csp_test(
new URL("/resource-timing/resources/200_empty.asis", REMOTE_ORIGIN),
"Cross-origin empty iframe with a 200 status gets reported");
non_navigating_empty_unmasked_entry_with_csp_test(
new URL("/resource-timing/resources/204_empty.asis", location.origin),
"Same-origin empty iframe with a 204 status gets reported");
non_navigating_empty_unmasked_entry_with_csp_test(
new URL("/resource-timing/resources/205_empty.asis", location.origin),
"Same-origin empty iframe with a 205 status gets reported");
non_navigating_masked_entry_with_csp_test(
new URL("/resource-timing/resources/204_empty.asis", REMOTE_ORIGIN),
"Cross-origin empty iframe with a 204 status gets reported");
non_navigating_masked_entry_with_csp_test(
new URL("/resource-timing/resources/205_empty.asis", REMOTE_ORIGIN),
"Cross-origin empty iframe with a 205 status gets reported");
</script>
</body>
</html>
|
