Bug 1458392 [wpt PR 10745] - Fix timing allow check algorithm for service workers, a=testonly draft
authorNicolas Pena <npm@chromium.org>
Thu, 03 May 2018 22:31:53 +0000
changeset 791495 654bf5fb5fa2e6fc978e8e0b465bfae2de92af86
parent 791494 1fc09bf93e2e18752c3f70b668cf7c7dfadd619d
child 791496 269481dfd91fa8120d25a9f60ba117ef71573b94
push id108825
push userbmo:james@hoppipolla.co.uk
push dateFri, 04 May 2018 14:12:31 +0000
reviewerstestonly
bugs1458392, 10745, 837275, 1038229, 555476
milestone61.0a1
Bug 1458392 [wpt PR 10745] - Fix timing allow check algorithm for service workers, a=testonly Automatic update from web-platform-testsFix timing allow check algorithm for service workers This CL uses the OriginalURLViaServiceWorker() in the timing allow check algorithm if the response WasFetchedViaServiceWorker(). This way, if a service worker changes a same origin request to become cross origin, then the timing allow check algorithm will still fail. resource-timing-worker.js is changed so it avoids an empty Response, which is an odd case in terms of same origin checks. Bug: 837275 Change-Id: I7e497a6fcc2ee14244121b915ca5f5cceded417a Reviewed-on: https://chromium-review.googlesource.com/1038229 Commit-Queue: Nicolás Peña Moreno <npm@chromium.org> Reviewed-by: Yoav Weiss <yoav@yoav.ws> Reviewed-by: Timothy Dresser <tdresser@chromium.org> Cr-Commit-Position: refs/heads/master@{#555476} -- wpt-commits: 7e9e0aed09557bf971cdea5fabe8872aeed3e0f3 wpt-pr: 10745
testing/web-platform/meta/MANIFEST.json
testing/web-platform/tests/service-workers/service-worker/resource-timing-cross-origin.https.html
testing/web-platform/tests/service-workers/service-worker/resources/iframe-with-image.html
testing/web-platform/tests/service-workers/service-worker/resources/resource-timing-worker.js
testing/web-platform/tests/service-workers/service-worker/resources/square.png.sub.headers
testing/web-platform/tests/service-workers/service-worker/resources/worker-fetching-cross-origin.js
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@@ -295305,16 +295305,21 @@
      {}
     ]
    ],
    "service-workers/service-worker/resources/http-to-https-redirect-and-register-iframe.html": [
     [
      {}
     ]
    ],
+   "service-workers/service-worker/resources/iframe-with-image.html": [
+    [
+     {}
+    ]
+   ],
    "service-workers/service-worker/resources/immutable-prototype-serviceworker.js": [
     [
      {}
     ]
    ],
    "service-workers/service-worker/resources/import-mime-type-worker.py": [
     [
      {}
@@ -295860,16 +295865,21 @@
      {}
     ]
    ],
    "service-workers/service-worker/resources/square.png": [
     [
      {}
     ]
    ],
+   "service-workers/service-worker/resources/square.png.sub.headers": [
+    [
+     {}
+    ]
+   ],
    "service-workers/service-worker/resources/success.py": [
     [
      {}
     ]
    ],
    "service-workers/service-worker/resources/svg-target-reftest-001-frame.html": [
     [
      {}
@@ -295960,16 +295970,21 @@
      {}
     ]
    ],
    "service-workers/service-worker/resources/worker-client-id-worker.js": [
     [
      {}
     ]
    ],
+   "service-workers/service-worker/resources/worker-fetching-cross-origin.js": [
+    [
+     {}
+    ]
+   ],
    "service-workers/service-worker/resources/worker-interception-iframe.https.html": [
     [
      {}
     ]
    ],
    "service-workers/service-worker/resources/worker-interception-redirect-serviceworker.js": [
     [
      {}
@@ -366059,16 +366074,22 @@
     ]
    ],
    "service-workers/service-worker/request-end-to-end.https.html": [
     [
      "/service-workers/service-worker/request-end-to-end.https.html",
      {}
     ]
    ],
+   "service-workers/service-worker/resource-timing-cross-origin.https.html": [
+    [
+     "/service-workers/service-worker/resource-timing-cross-origin.https.html",
+     {}
+    ]
+   ],
    "service-workers/service-worker/resource-timing.https.html": [
     [
      "/service-workers/service-worker/resource-timing.https.html",
      {}
     ]
    ],
    "service-workers/service-worker/respond-with-body-accessed-response.https.html": [
     [
@@ -601682,16 +601703,20 @@
   "service-workers/service-worker/rejections.https.html": [
    "785a18ac3c8001034f583a8e97195aa47093bd0d",
    "testharness"
   ],
   "service-workers/service-worker/request-end-to-end.https.html": [
    "e93efe04f35ff8c9ce15969a7b3f6373b098c4a8",
    "testharness"
   ],
+  "service-workers/service-worker/resource-timing-cross-origin.https.html": [
+   "a100738d8300a6f8361ed040bda6503be240c2cf",
+   "testharness"
+  ],
   "service-workers/service-worker/resource-timing.https.html": [
    "23cadb03b48a885dbbd9a5dfdc38b5b58f99d18a",
    "testharness"
   ],
   "service-workers/service-worker/resources/404.py": [
    "567d0a7de3ef54adaa8339bb04632a2ecfcc57a5",
    "support"
   ],
@@ -602178,16 +602203,20 @@
   "service-workers/service-worker/resources/frame-for-getregistrations.html": [
    "c5f88c11333ff1faba5d57812a36553d174ab711",
    "support"
   ],
   "service-workers/service-worker/resources/http-to-https-redirect-and-register-iframe.html": [
    "b1a69bedbfbcb8f5b38d35f637f75f167d80118a",
    "support"
   ],
+  "service-workers/service-worker/resources/iframe-with-image.html": [
+   "979ab7a2ad813948d68c7ecdde8349960fbdb867",
+   "support"
+  ],
   "service-workers/service-worker/resources/immutable-prototype-serviceworker.js": [
    "0a428649e0ceaaacdea5d156e829c63668bc3f72",
    "support"
   ],
   "service-workers/service-worker/resources/import-mime-type-worker.py": [
    "7881cd81f7fe54bf3be799f3549098c78b896574",
    "support"
   ],
@@ -602535,17 +602564,17 @@
    "c939271e717288203a5a298b95a7328100bd7c80",
    "support"
   ],
   "service-workers/service-worker/resources/resource-timing-iframe.sub.html": [
    "75bd224a9680af0557c53fb6e77645e4e0b8173d",
    "support"
   ],
   "service-workers/service-worker/resources/resource-timing-worker.js": [
-   "45dd429936a3e3f558fac21a5a2e69ec7fa5ab5a",
+   "2a47775874086c1cdff257e3243af1af0b5e84be",
    "support"
   ],
   "service-workers/service-worker/resources/respond-then-throw-worker.js": [
    "d57215bcad8a3966175930642dfd34281b11aeff",
    "support"
   ],
   "service-workers/service-worker/resources/respond-with-body-accessed-response-iframe.html": [
    "d3d543503ab9c4398a674105a7c67f1a2e74cde7",
@@ -602622,16 +602651,20 @@
   "service-workers/service-worker/resources/skip-waiting-worker.js": [
    "da9ade15f01cc05e3a376406a9be442e12467049",
    "support"
   ],
   "service-workers/service-worker/resources/square.png": [
    "fa547a180b73a5422d52c1702c9d1e43b1083f9c",
    "support"
   ],
+  "service-workers/service-worker/resources/square.png.sub.headers": [
+   "34d0864df728804709caf1281dfd86587636fb2f",
+   "support"
+  ],
   "service-workers/service-worker/resources/success.py": [
    "628bc36bef749e1a2ffda104f71a17acee69b13b",
    "support"
   ],
   "service-workers/service-worker/resources/svg-target-reftest-001-frame.html": [
    "898cb16d911e94eb36506a07c6cceae41d9bcbda",
    "support"
   ],
@@ -602702,16 +602735,20 @@
   "service-workers/service-worker/resources/windowclient-navigate-worker.js": [
    "f7a925c1fe330839ea52d45cd052c387303defd6",
    "support"
   ],
   "service-workers/service-worker/resources/worker-client-id-worker.js": [
    "22fc24fa277508cabfdfa500745b3446e7a8c076",
    "support"
   ],
+  "service-workers/service-worker/resources/worker-fetching-cross-origin.js": [
+   "9bd4fb4507f5d7458b8702c5a0d34116acab4fcb",
+   "support"
+  ],
   "service-workers/service-worker/resources/worker-interception-iframe.https.html": [
    "b9fd4ea281b328c1f21573d1563c968dac52cf22",
    "support"
   ],
   "service-workers/service-worker/resources/worker-interception-redirect-serviceworker.js": [
    "ebf3c26bd9a176cf535549dc42637c92e29de4f0",
    "support"
   ],
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/service-workers/service-worker/resource-timing-cross-origin.https.html
@@ -0,0 +1,52 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<meta charset="utf-8" />
+<title>This test validates Resource Timing for cross origin content fetched by Service Worker from an originally same-origin URL.</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/test-helpers.sub.js"></script>
+</head>
+
+<body>
+<script>
+async_test(function(t) {
+    const worker_url = 'resources/worker-fetching-cross-origin.js';
+    const scope = 'resources/iframe-with-image.html';
+    let registration;
+    service_worker_unregister_and_register(t, worker_url, scope)
+    .then(function(r) {
+        registration = r;
+        return wait_for_state(t, r.installing, 'activated');
+    })
+    .then(function() {
+        return with_iframe(scope);
+    })
+    .then(function(frame) {
+        const frame_performance = frame.contentWindow.performance;
+        // Check that there is one entry for which the timing allow check algorithm failed.
+        const entries = frame_performance.getEntriesByType('resource');
+        assert_equals(entries.length, 1);
+        const entry = entries[0];
+        assert_equals(entry.redirectStart, 0, 'redirectStart should be 0 in cross-origin request.');
+        assert_equals(entry.redirectEnd, 0, 'redirectEnd should be 0 in cross-origin request.');
+        assert_equals(entry.domainLookupStart, 0, 'domainLookupStart should be 0 in cross-origin request.');
+        assert_equals(entry.domainLookupEnd, 0, 'domainLookupEnd should be 0 in cross-origin request.');
+        assert_equals(entry.connectStart, 0, 'connectStart should be 0 in cross-origin request.');
+        assert_equals(entry.connectEnd, 0, 'connectEnd should be 0 in cross-origin request.');
+        assert_equals(entry.requestStart, 0, 'requestStart should be 0 in cross-origin request.');
+        assert_equals(entry.responseStart, 0, 'responseStart should be 0 in cross-origin request.');
+        assert_equals(entry.secureConnectionStart, 0, 'secureConnectionStart should be 0 in cross-origin request.');
+        assert_equals(entry.decodedBodySize, 0, 'decodedBodySize should be 0 in cross-origin request.');
+        frame.remove();
+        return registration.unregister();
+      })
+    .then(function() {
+        t.done();
+      })
+    .catch(unreached_rejection(t));
+}, 'Test that timing allow check fails when service worker changes origin from same to cross origin.');
+</script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/service-workers/service-worker/resources/iframe-with-image.html
@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<img src="square">
--- a/testing/web-platform/tests/service-workers/service-worker/resources/resource-timing-worker.js
+++ b/testing/web-platform/tests/service-workers/service-worker/resources/resource-timing-worker.js
@@ -1,9 +1,5 @@
 self.addEventListener('fetch', function(event) {
     if (event.request.url.indexOf('dummy.js') != -1) {
-      event.respondWith(new Promise(resolve => {
-        // Slightly delay the response so we ensure we get a non-zero
-        // duration.
-        setTimeout(_ => resolve(new Response()), 100);
-      }));
+      event.respondWith(fetch('empty.js'));
     }
   });
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/service-workers/service-worker/resources/square.png.sub.headers
@@ -0,0 +1,2 @@
+Content-Type: image/png
+Access-Control-Allow-Origin: *
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/service-workers/service-worker/resources/worker-fetching-cross-origin.js
@@ -0,0 +1,10 @@
+importScripts('/common/get-host-info.sub.js');
+importScripts('test-helpers.sub.js');
+
+self.addEventListener('fetch', event => {
+  const host_info = get_host_info();
+  // The sneaky Service Worker changes the same-origin 'square' request for a cross-origin image.
+  if (event.request.url.indexOf('square') != -1) {
+    event.respondWith(fetch(host_info['HTTPS_REMOTE_ORIGIN'] + base_path() + 'square.png', {mode: 'cors'}));
+  }
+});