Experimentally block/deprecate resource requests whose URLs contain r…

…aw newlines.

Intent to Deprecate: https://groups.google.com/a/chromium.org/d/msg/blink-dev/AqSrOMzwrlk/wUglQnTJCgAJ

BUG=680970

Review-Url: https://codereview.chromium.org/2794303002
Cr-Commit-Position: refs/heads/master@{#462933}

third_party/WebKit/LayoutTests/bindings/blink-in-js-asan-crash-expected.txt

@@ -1 +1,2 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 Test passes if it does not crash on ASan builds.  

third_party/WebKit/LayoutTests/compositing/iframes/iframe-in-composited-layer-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 layer at (0,0) size 800x600
   LayoutView at (0,0) size 800x600
 layer at (0,0) size 800x600

third_party/WebKit/LayoutTests/editing/pasteboard/dragstart-contains-default-content-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 Simple test that the dragstart event contains the default data in the event.
 
 Select some text in this box and drag it.

third_party/WebKit/LayoutTests/fast/canvas/canvas-composite-canvas-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 Test Results
 solid on solid	alpha on solid	solid on alpha	alpha on alpha
 source-over				

third_party/WebKit/LayoutTests/fast/canvas/canvas-composite-image-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 Test Results
 solid on solid	alpha on solid	solid on alpha	alpha on alpha
 source-over				

third_party/WebKit/LayoutTests/fast/css/counters/counter-traverse-table-cell-expected.txt

@@ -1 +1,2 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 This tests that we don't crash when using the CSS counters feature.  

third_party/WebKit/LayoutTests/fast/dom/Element/offsetLeft-offsetTop-body-quirk-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 static: body: (0, 0) child: (27, 27)
 relative: body: (0, 0) child: (17, 17)
 fixed: body: (0, 0) child: (17, 17)

third_party/WebKit/LayoutTests/fast/dom/Element/offsetLeft-offsetTop-html-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 control: (0, 0)
 static: (10, 10)
 absolute: (20, 10)

third_party/WebKit/LayoutTests/fast/events/constructors/track-event-constructor-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 This tests the constructor for the TrackEvent DOM class.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

third_party/WebKit/LayoutTests/fast/events/drag-and-drop-autoscroll-inner-frame-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 Check autoscroll within an inner frame by drag-and-drop
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

third_party/WebKit/LayoutTests/fast/events/resize-subframe-expected.txt

@@ -1,2 +1,3 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 ALERT: PASS
 

third_party/WebKit/LayoutTests/fast/events/touch/gesture/long-press-focuses-frame-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 PASS successfullyParsed is true
 
 TEST COMPLETE

third_party/WebKit/LayoutTests/fast/files/null-origin-string-expected.txt

@@ -1,2 +1,3 @@
+CONSOLE WARNING: line 30: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 CONSOLE MESSAGE: line 1: Started reading...
 PASS if no crash.

third_party/WebKit/LayoutTests/fast/frames/content-opacity-1-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 layer at (0,0) size 800x600
   LayoutView at (0,0) size 800x600
 layer at (0,0) size 800x600

third_party/WebKit/LayoutTests/fast/frames/negative-remaining-length-crash-expected.txt

@@ -1 +1,2 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 

third_party/WebKit/LayoutTests/fast/loader/simultaneous-reloads-assert-expected.txt

@@ -1,3 +1,4 @@
 ALERT: If you do not hit an assertion failure when running this test with a debug build and you get a SUCCESS message, then you pass the test.
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 ALERT: SUCCESS
 

third_party/WebKit/LayoutTests/fast/loader/stateobjects/pushstate-in-data-url-denied-expected.txt

@@ -1,2 +1,3 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 ALERT: PASS: data URLs cannot be manipulated via pushState.
 

third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-hidden-iframe-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 This is link_1.
 
 

third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-hidden-iframe-zero-size-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 This is link_1.
 
 

third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-nested-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 Link
 
 Link

third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-no-focusable-content-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 a
 
 

third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-no-scrollable-content-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 a
 
 

third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-recursive-offset-parent-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 Link
 
 PASS successfullyParsed is true

third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-with-offscreen-focusable-element-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 
 
 PASS successfullyParsed is true

third_party/WebKit/LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 Test entering full screen security restrictions. An iframe without an allow attribute is still permitted to fullscreen if the request comes from the containing document.
 
 To test manually, press any key - the page should enter full screen mode.

third_party/WebKit/LayoutTests/http/tests/local/absolute-url-strip-whitespace-expected.txt

@@ -1 +1,2 @@
-PASS
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
+FAIL, script did not run.

third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute-expected.txt

@@ -0,0 +1,15 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
+This is a testharness.js-based test.
+PASS <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=1&#10;b"> 
+PASS <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=2&#10;b&lt;c"> 
+PASS       <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=3        b&lt;c      ">     
+FAIL <img id="dangling" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEwAAABnAQMAAACQMjadAAAAA1BMVEX///+nxBvIAAAAEUlEQVQ4y2MYBaNgFIwCegAABG0AAd5G4RkAAAAASUVORK5CYII="> assert_equals: Height expected 0 but got 103
+PASS <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?4&img=&lt;b"> 
+PASS <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?5&data=&amp;#10;b"> 
+PASS <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?6&img=&amp;lt;b"> 
+PASS <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?7&img=&amp;#10;b&amp;lt;c"> 
+PASS       <img id="dangling" src="        http://127.0.0.1:8000/security/resources/abe.png?8      ">      <input type=hidden name=csrf value=sekrit>     
+PASS       <img id="dangling" src="      http://127.0.0.1:8000/security/resources/abe.png?9&img=&amp;lt;      ">      <input type=hidden name=csrf value=sekrit>     
+PASS       <img id="dangling" src="      http://127.0.0.1:8000/security/resources/abe.png?10&img=&amp;#10;      ">      <input type=hidden name=csrf value=sekrit>     
+Harness: the test ran to completion.
+

third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html

@@ -16,12 +16,14 @@
   var abeSizedPngWithNewline = abeSizedPng.replace("i", "i\n");
 
   var should_block = [
-    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${rawNewline}b${rawBrace}c">`,
+    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=1${rawNewline}b">`,
+    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=2${rawNewline}b${rawBrace}c">`,
     `
-      <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a
+      <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=3
         b${rawBrace}c
       ">
     `,
+    `<img id="dangling" src="${abeSizedPngWithNewline}">`,
   ];
 
   should_block.forEach(markup => {
@@ -32,35 +34,30 @@
   });
 
   var should_load = [
-
-    // `data:` and `javascript:` URLs don't check the content:
-    `<img id="dangling" src="${abeSizedPngWithNewline}">`,
-
-    // Just one or the other isn't enough:
-    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=a${rawNewline}b">`,
-    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${rawBrace}b">`,
+    // Brace alone doesn't block:
+    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?4&img=${rawBrace}b">`,
 
     // Entity-escaped characters don't trigger blocking:
-    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=a${escapedNewline}b">`,
-    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${escapedBrace}b">`,
-    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${escapedNewline}b${escapedBrace}c">`,
+    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?5&data=${escapedNewline}b">`,
+    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?6&img=${escapedBrace}b">`,
+    `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?7&img=${escapedNewline}b${escapedBrace}c">`,
 
     // Leading and trailing whitespace is stripped:
     `
       <img id="dangling" src="
-        http://127.0.0.1:8000/security/resources/abe.png
+        http://127.0.0.1:8000/security/resources/abe.png?8
       ">
       <input type=hidden name=csrf value=sekrit>
     `,
     `
       <img id="dangling" src="
-      http://127.0.0.1:8000/security/resources/abe.png?img=${escapedBrace}
+      http://127.0.0.1:8000/security/resources/abe.png?9&img=${escapedBrace}
       ">
       <input type=hidden name=csrf value=sekrit>
     `,
     `
       <img id="dangling" src="
-      http://127.0.0.1:8000/security/resources/abe.png?img=${escapedNewline}
+      http://127.0.0.1:8000/security/resources/abe.png?10&img=${escapedNewline}
       ">
       <input type=hidden name=csrf value=sekrit>
     `,

third_party/WebKit/LayoutTests/http/tests/security/document-all-expected.txt

@@ -1,2 +1,3 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 ALERT: true
 

third_party/WebKit/LayoutTests/http/tests/security/no-indexeddb-from-sandbox-expected.txt

@@ -1,2 +1,3 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 CONSOLE MESSAGE: line 1: PASS: indexedDB.open() threw a SECURITY_ERR!
 

third_party/WebKit/LayoutTests/http/tests/security/no-popup-from-sandbox-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 CONSOLE ERROR: line 1: Blocked opening 'about:blank' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.
 CONSOLE MESSAGE: line 1: PASS
 To run this test outside of DumpRenderTree, please disable your popup blocker!

third_party/WebKit/LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 CONSOLE ERROR: line 1: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8000/security/no-popup-from-sandbox-top.html' from frame with URL 'data:text/html,       <script>       var win = window.open('about:blank', '_top');       console.log(win ? 'FAIL' : 'PASS');       </script>'. The frame attempting navigation of the top-level window is sandboxed, but the flag of 'allow-top-navigation' or 'allow-top-navigation-by-user-activation' is not set.
 
 CONSOLE MESSAGE: line 1: PASS

third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-can-navigate-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 To run this test outside of DumpRenderTree, please disable your popup blocker!
 
 This test passes if it doesn't hang.

third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-is-sandboxed-control-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 CONSOLE MESSAGE: line 1: /PASS/
 To run this test outside of DumpRenderTree, please disable your popup blocker!
 

third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-is-sandboxed-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 CONSOLE ERROR: line 1: Blocked form submission to 'javascript:alert(/FAIL/)' because the form's frame is sandboxed and the 'allow-forms' permission is not set.
 To run this test outside of DumpRenderTree, please disable your popup blocker!
 

third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 CONSOLE MESSAGE: line 1: PASS
 To run this test outside of DumpRenderTree, please disable your popup blocker!
 

third_party/WebKit/LayoutTests/http/tests/security/sandboxed-opener-can-close-window-expected.txt

@@ -1,3 +1,4 @@
+CONSOLE WARNING: Resource requests whose URLs contain raw newline characters are deprecated, and may be blocked in M60, around August 2017. Please remove newlines from places like element attribute values in order to continue loading those resources. See https://www.chromestatus.com/features/5735596811091968 for more details.
 To run this test outside of DumpRenderTree, please disable your popup blocker!
 
 This test passes if it doesn't hang.