forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CORB: WPT tests for <script> tag interactions.
Bug: 809261, 806996 Change-Id: Ia0f5acdc517f79aa9075447f8b543a141313e098 Reviewed-on: https://chromium-review.googlesource.com/917195 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Nick Carter <nick@chromium.org> Cr-Commit-Position: refs/heads/master@{#536863}
- Loading branch information
1 parent
6a306a3
commit 926617b
Showing
15 changed files
with
194 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 9 additions & 6 deletions
15
third_party/WebKit/LayoutTests/external/wpt/fetch/corb/css-with-json-parser-breaker.sub.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,20 @@ | ||
<!doctype html> | ||
<meta charset="utf-8"> | ||
<title>CORB should not block text/css with a JSON parser breaker</title> | ||
<link rel="stylesheet" type="text/css" | ||
href="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/css-with-json-parser-breaker.css"> | ||
<script src=/resources/testharness.js></script> | ||
<script src=/resources/testharnessreport.js></script> | ||
|
||
<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> | ||
<link rel="stylesheet" type="text/css" | ||
href="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/css-with-json-parser-breaker.css"> | ||
|
||
<body> | ||
<h1 id="header">Header example</h1> | ||
<p>Paragraph body</p> | ||
</body> | ||
|
||
<script> | ||
test(function() { | ||
var style = getComputedStyle(document.getElementById('header')); | ||
assert_equals(style.getPropertyValue('color'), 'rgb(255, 0, 0)'); | ||
}, "CORB should not block text/css with a JSON parser breaker"); | ||
var style = getComputedStyle(document.getElementById('header')); | ||
assert_equals(style.getPropertyValue('color'), 'rgb(255, 0, 0)'); | ||
done(); | ||
</script> |
1 change: 1 addition & 0 deletions
1
...rty/WebKit/LayoutTests/external/wpt/fetch/corb/resources/js-mislabeled-as-html-nosniff.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
window.has_executed_script = true; |
2 changes: 2 additions & 0 deletions
2
...it/LayoutTests/external/wpt/fetch/corb/resources/js-mislabeled-as-html-nosniff.js.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Content-Type: text/html | ||
X-Content-Type-Options: nosniff |
1 change: 1 addition & 0 deletions
1
third_party/WebKit/LayoutTests/external/wpt/fetch/corb/resources/js-mislabeled-as-html.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
window.has_executed_script = true; |
1 change: 1 addition & 0 deletions
1
...rty/WebKit/LayoutTests/external/wpt/fetch/corb/resources/js-mislabeled-as-html.js.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Content-Type: text/html |
30 changes: 30 additions & 0 deletions
30
...bKit/LayoutTests/external/wpt/fetch/corb/script-html-correctly-labeled.tentative.sub.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
<!DOCTYPE html> | ||
<!-- Test verifies that html fed to a <script> tag won't report a syntax | ||
error after CORB blocks the response (an empty response body injected | ||
by CORB won't have any JavaScript syntax errors). | ||
--> | ||
<meta charset="utf-8"> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<div id=log></div> | ||
<script> | ||
setup({allow_uncaught_exception : true}); | ||
async_test(function(t) { | ||
var script = document.createElement("script") | ||
|
||
// Without CORB, the html document would cause a syntax error when parsed as | ||
// JavaScript, but with CORB there should be no errors (because CORB will | ||
// replace the response body with an empty body). | ||
script.onload = t.step_func_done(function(){}) | ||
addEventListener("error",function(e) { | ||
t.step(function() { | ||
assert_unreached("Empty body of a CORS-blocked response shouldn't trigger syntax errors."); | ||
t.done(); | ||
}) | ||
}); | ||
|
||
// www1 is cross-origin, so the HTTP response is CORB-eligible. | ||
script.src = 'http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/html-correctly-labeled.html'; | ||
document.body.appendChild(script) | ||
}); | ||
</script> |
32 changes: 32 additions & 0 deletions
32
.../WebKit/LayoutTests/external/wpt/fetch/corb/script-js-mislabeled-as-html-nosniff.sub.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
<!DOCTYPE html> | ||
<!-- Test verifies that script mislabeled as html won't execute with and without CORB | ||
if the nosniff response header is present. | ||
The expected behavior is covered by the Fetch spec at | ||
https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff? | ||
See also the following tests: | ||
- fetch/nosniff/importscripts.html | ||
- fetch/nosniff/script.html | ||
- fetch/nosniff/worker.html | ||
--> | ||
<meta charset="utf-8"> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<div id=log></div> | ||
|
||
<script> | ||
window.has_executed_script = false; | ||
</script> | ||
|
||
<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> | ||
<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/js-mislabeled-as-html-nosniff.js"> | ||
</script> | ||
|
||
<script> | ||
// Verify what observable effects the <script> tag above had. | ||
// Assertion should hold with and without CORB: | ||
assert_false(window.has_executed_script, | ||
'The cross-origin script should not be executed'); | ||
done(); | ||
</script> |
24 changes: 24 additions & 0 deletions
24
third_party/WebKit/LayoutTests/external/wpt/fetch/corb/script-js-mislabeled-as-html.sub.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
<!DOCTYPE html> | ||
<!-- Test verifies that script mislabeled as html will execute with and without | ||
CORB (CORB should allow the script after sniffing). | ||
--> | ||
<meta charset="utf-8"> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<div id=log></div> | ||
|
||
<script> | ||
window.has_executed_script = false; | ||
</script> | ||
|
||
<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> | ||
<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/js-mislabeled-as-html.js"> | ||
</script> | ||
|
||
<script> | ||
// Verify what observable effects the <script> tag above had. | ||
// Assertion should hold with and without CORB: | ||
assert_true(window.has_executed_script, | ||
'The cross-origin script should execute'); | ||
done(); | ||
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters