Bug 1509766 [wpt PR 14226] - Signed Exchange: Disallow HEAD request method, a=testonly
authorKunihiko Sakamoto <ksakamoto@chromium.org>
Fri, 30 Nov 2018 18:02:44 +0000
changeset 449981 4011e7651835c066933f71de370f02961d8c2501
parent 449980 d33c66fa1a224033fbd0c4655ad3f914423a3c49
child 449982 7e26ba7ab67ae18d4431b12c8b12fedeb9546f5a
push id110435
push userjames@hoppipolla.co.uk
push dateTue, 11 Dec 2018 15:53:47 +0000
treeherdermozilla-inbound@add833a587f5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1509766, 14226, 803774, 1350017, 610767
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1509766 [wpt PR 14226] - Signed Exchange: Disallow HEAD request method, a=testonly Automatic update from web-platform-tests Signed Exchange: Disallow HEAD request method As per the Loading Signed Exchanges spec [1], this patch makes SignedExchangeEnvelope::Parse() fail if the exchange's request method is not "GET". [1] https://wicg.github.io/webpackage/loading.html#parse-cbor-headers Bug: 803774 Change-Id: I4729403f3dae5038bae702b0359e1b98f9a11233 Reviewed-on: https://chromium-review.googlesource.com/c/1350017 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org> Cr-Commit-Position: refs/heads/master@{#610767} -- wpt-commits: 4edb777ed3a216e6be6b8a7c13820a25340017dc wpt-pr: 14226
testing/web-platform/tests/signed-exchange/resources/generate-test-sxgs.sh
testing/web-platform/tests/signed-exchange/resources/sxg-head-request.sxg
testing/web-platform/tests/signed-exchange/resources/sxg-head-request.sxg.headers
testing/web-platform/tests/signed-exchange/sxg-head-request.tentative.html
--- a/testing/web-platform/tests/signed-exchange/resources/generate-test-sxgs.sh
+++ b/testing/web-platform/tests/signed-exchange/resources/generate-test-sxgs.sh
@@ -33,16 +33,32 @@ gen-signedexchange \
   -certUrl $cert_url_origin/signed-exchange/resources/$certfile.cbor \
   -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
   -privateKey $keyfile \
   -date 2018-04-01T00:00:00Z \
   -expire 168h \
   -o sxg-location.sxg \
   -miRecordSize 100
 
+# Request method is HEAD.
+gen-signedexchange \
+  -version 1b2 \
+  -method HEAD \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $cert_url_origin/signed-exchange/resources/$certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg-head-request.sxg \
+  -miRecordSize 100
+
 # validityUrl is different origin from request URL.
 gen-signedexchange \
   -version 1b2 \
   -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
   -status 200 \
   -content failure.html \
   -certificate $certfile \
   -certUrl $cert_url_origin/signed-exchange/resources/$certfile.cbor \
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..9d09647481c18a0cf8c77af198b2eff15c950b96
GIT binary patch
literal 958
zc$}3|Id2m|7&TB~{s0BV;wHh4_i%jMYvlWgy|!b=b|{F(yR*Av@5RpejMAi_p-e*q
zQV2pqbchBCYPv`WLBStLK^aA&WF2D^D#VO5`eyXr_rCWuc&c#ze!%6ruM%S6IKyy(
z2+ca1i${aOAcK)&K*<lMq6!QJGB(8K$QB`HkYPaEKe9DiCA#Li_QK^l(Lf(+3Cbby
z-detyEth6$Q3zwDJ>IDcMIdOANEn*Zc5}v&@Vp>|>n(ZQ?U;p{kVcuh)Q(LCnM@i)
zAH@R0bhBUYDME=;wXNM~uA&4PdC(hI=7gQ_yf;COfrcbRW{W9!&wo2uRrIP4tz*TL
zppZeJVmo)<BOwK1!sy74RS*b;{p_X#5TQ-})||k;-_ih)O<SjlL;08XpCM^HRcH(9
zwAeT8Rqv%3@3mSxu~AQ!LRxoQ8$Qr|bEtyqv?q7fOuq~(#YQ1LuK8kW0Wb290D(Lg
z3IswyHp;RI3QjHLXfED1xnL;FvWLgTxDJVGO1V-#oqJhWI_$-+TI7cc@^yBzdY2n0
z<z7V@n2~&BUi0N6W=Al#1W-fma*F{-9P-6DCV-4^Ho&q~(R8vih@Z?X*t<>OlrW3m
z;n-4vjUnMjMD|A;D;P9HQ$mJPy{hh7E-868SI@S08+mHcBIQmJL^PPnF1eH`Q?1K*
zOYL?e|2yF%vjn-5ShSHvQtk;dBy&OoNy?8MS`}f34ej+c9byb#HP1J{ZkK+1D8-H*
z)1Tvqr^h!Qp3G0*y}tGS{0zQT;MxYY4j0UO6rZB@-4u0sqn)e)ZJ9Q44oqr`W(r*2
z*Gv%*WEycwGR2X;K(3x>)rRs0h47vXG_4QBVVrU*j6Xe#?q$Cp-Fee3buP}dZ*gz3
fdGq7b=NFzY*XvJy!h?GW_rb;`7CL2;S$X>f`v6ON
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/resources/sxg-head-request.sxg.headers
@@ -0,0 +1,1 @@
+Content-Type: application/signed-exchange;v=b2
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/sxg-head-request.tentative.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<title>Loading SignedHTTPExchange with HEAD request method must fail</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="./resources/sxg-util.js"></script>
+<body>
+<script>
+promise_test(async (t) => {
+  const sxgUrl = get_host_info().HTTPS_ORIGIN + '/signed-exchange/resources/sxg-head-request.sxg';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxgUrl);
+  assert_equals(message.location, innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+}, 'Loading SignedHTTPExchange with HEAD request method must fail');
+
+</script>
+</body>