Bug 1459733 [wpt PR 10880] - Handle more html/js polyglots in CORB confirmation sniffing., a=testonly
authorLukasz Anforowicz <lukasza@chromium.org>
Tue, 15 May 2018 13:41:05 +0000
changeset 418591 7a9ff12ea34fb8f73736421022c21f42ba73f4d0
parent 418590 32af852fa30200dc9d005076292a9cb29080eb48
child 418592 51f1ecd79ebec8c510e17072ed0e3e744863215d
push id34007
push usercsabou@mozilla.com
push dateThu, 17 May 2018 09:47:02 +0000
treeherdermozilla-central@8fb36531f7d0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1459733, 10880, 839945, 1047851, 557018
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1459733 [wpt PR 10880] - Handle more html/js polyglots in CORB confirmation sniffing., a=testonly Automatic update from web-platform-testsHandle more html/js polyglots in CORB confirmation sniffing. Cross-Origin Read Blocking (CORB) tries to protect certain resource types (e.g. text/html). To be resilient against HTTP responses mislabeled with an incorrect Content-Type, CORB sniffs the response body to confirm if it truly is the protected type. Before this CL the confirmation sniffing logic blocked resources that are both a valid html and a valid javascript. Blocking of such resources is undesirable, because it is disruptive to existing websites that use such polyglot responses in <script> tags. After this CL, CORB sniffer takes into account the https://www.ecma-international.org/ecma-262/8.0/index.html#prod-annexB-SingleLineHTMLCloseComment rule which means that the sniffing doesn't resume immediately after "-->" characters, but instead also consumes all the characters until the first line terminator. Bug: 839945 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: I7c8221acc2013adffe8095d188ae22e1c6a2fdab Reviewed-on: https://chromium-review.googlesource.com/1047851 Commit-Queue: Charlie Reis <creis@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#557018} -- wpt-commits: 8233b0b8f835c970502c2fc6ef61fa51c3d4f6ce wpt-pr: 10880
testing/web-platform/meta/MANIFEST.json
testing/web-platform/tests/fetch/corb/resources/html-js-polyglot.js
testing/web-platform/tests/fetch/corb/resources/html-js-polyglot2.js
testing/web-platform/tests/fetch/corb/resources/html-js-polyglot2.js.headers
testing/web-platform/tests/fetch/corb/script-html-js-polyglot.sub.html
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@@ -275244,16 +275244,26 @@
      {}
     ]
    ],
    "fetch/corb/resources/html-js-polyglot.js.headers": [
     [
      {}
     ]
    ],
+   "fetch/corb/resources/html-js-polyglot2.js": [
+    [
+     {}
+    ]
+   ],
+   "fetch/corb/resources/html-js-polyglot2.js.headers": [
+    [
+     {}
+    ]
+   ],
    "fetch/corb/resources/js-mislabeled-as-html-nosniff.js": [
     [
      {}
     ]
    ],
    "fetch/corb/resources/js-mislabeled-as-html-nosniff.js.headers": [
     [
      {}
@@ -560999,23 +561009,31 @@
    "3f89c5d2069c30b9d7108fd69ed8e65f4ade2e9c",
    "support"
   ],
   "fetch/corb/resources/html-correctly-labeled.html.headers": [
    "41e260e7df49e0e4ddb1fc5df11913dbda15edd7",
    "support"
   ],
   "fetch/corb/resources/html-js-polyglot.js": [
-   "7fc30035583764941078fb53f950c52a217d6893",
+   "529e81f0fa614cb1707cf759f6bf1c7990f4d51f",
    "support"
   ],
   "fetch/corb/resources/html-js-polyglot.js.headers": [
    "41e260e7df49e0e4ddb1fc5df11913dbda15edd7",
    "support"
   ],
+  "fetch/corb/resources/html-js-polyglot2.js": [
+   "2a314fc6b634c7f6a6117d5602f9a4520397850d",
+   "support"
+  ],
+  "fetch/corb/resources/html-js-polyglot2.js.headers": [
+   "41e260e7df49e0e4ddb1fc5df11913dbda15edd7",
+   "support"
+  ],
   "fetch/corb/resources/js-mislabeled-as-html-nosniff.js": [
    "ec322736e35e0649e1f3cd4d5b88e2f211436e2b",
    "support"
   ],
   "fetch/corb/resources/js-mislabeled-as-html-nosniff.js.headers": [
    "1bea535d497ae73eb7a84d3a14a5276e9d0ccc34",
    "support"
   ],
@@ -561055,17 +561073,17 @@
    "b9cd3923eeb88157f3bc3f2e62b5ee5e3f166c0c",
    "support"
   ],
   "fetch/corb/script-html-correctly-labeled.tentative.sub.html": [
    "971fcca2f52153a39bf3643b52fb69b6255acf32",
    "testharness"
   ],
   "fetch/corb/script-html-js-polyglot.sub.html": [
-   "4b28bd95bd19ea95df3e78bbfc477fb7dea60e29",
+   "0e9042bc4d7492b17aeb69c9062ca9682000936b",
    "testharness"
   ],
   "fetch/corb/script-html-via-cross-origin-blob-url.sub.html": [
    "5fd4e36f6ad89ea7e7ede4c1a54136d80b126dd4",
    "testharness"
   ],
   "fetch/corb/script-js-mislabeled-as-html-nosniff.sub.html": [
    "ff421a4a827db6c8eeec97d2a7ee7010fd8fd686",
--- a/testing/web-platform/tests/fetch/corb/resources/html-js-polyglot.js
+++ b/testing/web-platform/tests/fetch/corb/resources/html-js-polyglot.js
@@ -1,9 +1,9 @@
 <!--/*--><html><body><script type="text/javascript"><!--//*/
 
 // This is a regression test for https://crbug.com/839425
 // which found out that some script resources are served
 // with text/html content-type and with a body that is
 // both a valid html and a valid javascript.
-window.polyglot = 123;
+window.polyglot = "html-js-polyglot.js";
 
 //--></script></body></html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/fetch/corb/resources/html-js-polyglot2.js
@@ -0,0 +1,10 @@
+<!-- comment --> <script type='text/javascript'>
+//<![CDATA[
+
+// This is a regression test for https://crbug.com/839945
+// which found out that some script resources are served
+// with text/html content-type and with a body that is
+// both a valid html and a valid javascript.
+window.polyglot = "html-js-polyglot2.js";
+
+//]]>--></script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/fetch/corb/resources/html-js-polyglot2.js.headers
@@ -0,0 +1,1 @@
+Content-Type: text/html
--- a/testing/web-platform/tests/fetch/corb/script-html-js-polyglot.sub.html
+++ b/testing/web-platform/tests/fetch/corb/script-html-js-polyglot.sub.html
@@ -2,28 +2,31 @@
 <!-- Test verifies that CORB won't block a polyglot script that is
      both a valid HTML document and also valid Javascript.
 -->
 <meta charset="utf-8">
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <div id=log></div>
 <script>
-async_test(function(t) {
-  var script = document.createElement("script")
+["html-js-polyglot.js", "html-js-polyglot2.js"].forEach(polyglot_name => {
+  async_test(function(t) {
+    window.polyglot = "not yet set by the script";
+    var script = document.createElement("script");
 
-  script.onload = t.step_func_done(function(){
-    // Verify that html-js-polyglot.js wasn't blocked - that script
-    // should have set window.polyglot to 123.
-    assert_equals(window.polyglot, 123);
-  })
-  addEventListener("error",function(e) {
-    t.step(function() {
-      assert_unreached("No errors are expected with or without CORB.");
-      t.done();
+    script.onload = t.step_func_done(function(){
+      // Verify that the script response wasn't blocked - that script
+      // should have set window.polyglot to |polyglot_name|.
+      assert_equals(window.polyglot, polyglot_name);
     })
-  });
+    addEventListener("error",function(e) {
+      t.step(function() {
+        assert_unreached("No errors are expected with or without CORB.");
+        t.done();
+      })
+    });
 
-  // www1 is cross-origin, so the HTTP response is CORB-eligible.
-  script.src = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/html-js-polyglot.js"
-  document.body.appendChild(script)
-}, "CORB cannot block polyglot HTML/JS");
+    // www1 is cross-origin, so the HTTP response is CORB-eligible.
+    script.src = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/" + polyglot_name;
+    document.body.appendChild(script);
+  }, "CORB cannot block polyglot HTML/JS: " + polyglot_name);
+});
 </script>