Bug 1621393 [wpt PR 22163] - Add support for path absolute url to reporting endpoint, a=testonly
authorRodney Ding <rodneyding@google.com>
Sat, 14 Mar 2020 11:28:41 +0000
changeset 518842 f6aa28232ba79de5cf47bb1f4803f58b0c79a002
parent 518841 1d669ca911c7f09b386ede254594b7b9bf9e3447
child 518843 849a61e2a088e37fb5b84e8f641bfca5389ab02e
push id37217
push userccoroiu@mozilla.com
push dateSun, 15 Mar 2020 21:37:59 +0000
treeherdermozilla-central@f9fc9427476e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1621393, 22163, 1060306, 2096846, 749897
milestone76.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1621393 [wpt PR 22163] - Add support for path absolute url to reporting endpoint, a=testonly Automatic update from web-platform-tests Add support for path absolute url to reporting endpoint Add wpt tests to cover reports sent out-of-band to path-absolute-url endpoints. Copying some report infra code from wpt/content-security-policy Github discussions here https://github.com/w3c/reporting/issues/147 Bug: 1060306 Change-Id: I293cb686fd60edd15b28b7ccf7a5a9904b7ea588 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2096846 Commit-Queue: Rodney Ding <rodneyding@google.com> Reviewed-by: Lily Chen <chlily@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#749897} -- wpt-commits: 122127794de6f4f2fa635b48f34c59e8c23b30a1 wpt-pr: 22163
testing/web-platform/tests/reporting/path-absolute-endpoint.https.sub.html
testing/web-platform/tests/reporting/path-absolute-endpoint.https.sub.html.sub.headers
testing/web-platform/tests/reporting/resources/fail.png
testing/web-platform/tests/reporting/resources/report-helper.js
testing/web-platform/tests/reporting/resources/report.py
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/reporting/path-absolute-endpoint.https.sub.html
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that reports are sent when report-endpoint points to path-absolute-url</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='resources/report-helper.js'></script>
+</head>
+<body>
+  <script>
+    var t = async_test("Test that image does not load");
+    const base_url = `${location.protocol}//${location.host}`;
+    async_test(function(t) {
+    window.addEventListener("securitypolicyviolation", t.step_func(function(e) {
+        assert_equals(e.blockedURI, `${base_url}/reporting/resources/fail.png`);
+        assert_equals(e.violatedDirective, "img-src");
+        t.done();
+      }));
+    }, "Event is fired");
+
+    async_test(function(t) {
+      var observer = new ReportingObserver(function(reports, observer) {
+        t.step(function() {
+          assert_equals(reports.length, 1);
+
+          // Ensure that the contents of the report are valid.
+
+          assert_equals(reports[0].type, "csp-violation");
+          assert_equals(reports[0].url, location.href);
+          assert_equals(reports[0].body.documentURL, location.href);
+          assert_equals(reports[0].body.referrer, null);
+          assert_equals(reports[0].body.blockedURL,
+                        `${base_url}/reporting/resources/fail.png`);
+          assert_equals(reports[0].body.effectiveDirective, "img-src");
+          assert_equals(reports[0].body.originalPolicy,
+                        "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group");
+          assert_equals(reports[0].body.sourceFile, location.href);
+          assert_equals(reports[0].body.sample, null);
+          assert_equals(reports[0].body.disposition, "enforce");
+          assert_equals(reports[0].body.statusCode, 0);
+          assert_equals(reports[0].body.lineNumber, 66);
+          assert_equals(reports[0].body.columnNumber, 0);
+        });
+
+        t.done();
+      });
+      observer.observe();
+    }, "Report is observable to ReportingObserver");
+  </script>
+  <img src='/reporting/resources/fail.png'
+    onload='t.unreached_func("The image should not have loaded");'
+    onerror='t.done();'>
+  <script>
+    async_test(async (t) => {
+      try {
+        const endpoint = `${base_url}/reporting/resources/report.py`;
+        const id = 'd0d517bf-891b-457a-b970-8b2b2c81a0bf';
+        await wait(3000);
+        const reports = await pollReports(endpoint, id);
+        checkReportExists(reports, 'csp-violation', location.href);
+        t.done();
+      } catch (e) {
+        t.step(() => { throw e; });
+      }
+    }, "Reporting endpoints received reports.");
+  </script>
+
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/reporting/path-absolute-endpoint.https.sub.html.sub.headers
@@ -0,0 +1,2 @@
+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "/reporting/resources/report.py?id=d0d517bf-891b-457a-b970-8b2b2c81a0bf" }] }
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..b5933803338f770bdb1e6a7d433aeb640be85b08
GIT binary patch
literal 759
zc%17D@N?(olHy`uVBq!ia0vp^D}dO6gAGXb#n?mxDb50q$YKTtZeb8+WSBKa0w~B{
z;_2(kewB-dL*MksU){?<A=whwh!W@g+}zZ>5(ej@)Wnk16ovB4k_?5Aj8p}8Pv3y|
zDXMu43{1J6E{-7;x8BaS%@zq1aX7D`vWR1%iBiXn6*D4KmuwVRZ6Y@7kiW;G{|+bk
zH+(2R(xCX?L14><2`o)qT*vrDTwFI^a1&6Pwe^JVJZH0W=iZ!aso>+;WB&Wzxp#Lr
ze=qv3obAXxQTG&|vjUgaq6Lc<D8VTZ14^L_mtN8;%sKY;&aIhU{VPw+`rnch{XcWv
z8ROGtJKstcD9v2Y;4CT^9G2KC8S*d5L|y$rVZxaU8X4hPt_K&(hEM(&HT(0T1-%#e
zW4xZ3Px|PZFkLa|f|@1!o9>U&57a)GJ!3x50uu2&{UgT2uy|VK?jLz&A5(WfY(B8N
zLVG=9dqcnU9DANU+q=!1ubmAMT3W5Bet`W!ozPKD=cNlmH)qb|f4O|}$DDWDZr<7D
zvry+_s&~!8j3>{QH?SN2W0PSBE57^p`I1Jfxofr`neCXJ+b333B=nhewyJT4u<xaN
zC;F<B?3iqBCfw!tpmEH;;qQTR;}w!yuFvs*Qgh4Aui^NbdUyT}(mN7foLNwsa-sde
zNuld8e~#N3uV@OZTiDOAUMuFi#)l|J-H)Xv?!IrtS#wYOB^b?|zx2lX1?N<%)gITm
zIPN}Y@p^taQw`%gkvrw)yXunu?^qaeA#VEj$_L>GYxg(ao>n<~Nt~Hy^8xh*`p*s@
z_{_JioTozY@%)LN`@?c3S=G6oU2uE4cITYavZpvd2t{-i$`{<6pp~)y)bF*EzE6C&
wJIzD)V-lNaV1OX2C@YWxGoTbJc45wc3_^xo3K8>w2^R=FUHx3vIVCg!0Mx!fX#fBK
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/reporting/resources/report-helper.js
@@ -0,0 +1,22 @@
+function wait(ms) {
+  return new Promise(resolve => step_timeout(resolve, ms));
+}
+
+async function pollReports(endpoint, id) {
+  const res = await fetch(`${endpoint}?id=${id}`, {cache: 'no-store'});
+  const reports = [];
+  if (res.status === 200) {
+    for (const report of await res.json()) {
+      reports.push(report);
+    }
+  }
+  return reports;
+}
+
+function checkReportExists(reports, type, url) {
+  for (const report of reports) {
+    if (report.type !== type) continue;
+    if (report.body.sourceFile === url) return true;
+  }
+  assert_unreached(`A report of ${type} from ${url} is not found.`);
+}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/reporting/resources/report.py
@@ -0,0 +1,17 @@
+import json
+
+def main(request, response):
+  key = request.GET.first('id')
+
+  # No CORS support for cross-origin reporting endpoints
+  if request.method == 'POST':
+    reports = request.server.stash.take(key) or []
+    for report in json.loads(request.body):
+      reports.append(report)
+    request.server.stash.put(key, reports)
+    return 'done'
+  if request.method == 'GET':
+    return json.dumps(request.server.stash.take(key) or [])
+
+  response.status = 400
+  return 'invalid method'
\ No newline at end of file