Update web-platform-tests to revision e92532746b7615dcccdfa060937a87664816b1db

tests/wpt/web-platform-tests/fetch/corb/README.md

@@ -1,9 +1,19 @@
 # Tests related to Cross-Origin Resource Blocking (CORB).
 
+### Summary
+
 This directory contains tests related to the
 [Cross-Origin Resource Blocking (CORB)](https://chromium.googlesource.com/chromium/src/+/master/content/browser/loader/cross_origin_read_blocking_explainer.md)
 algorithm.
 
+The tests in this directory interact with various, random features,
+but the tests have been grouped together into the `fetch/corb` directory,
+because all of these tests verify behavior that is important to the CORB
+algorithm.
+
+
+### Disclaimer: CORB is not standardized yet
+
 Note that CORB is currently in very early stages of standardization path.  At
 the same time, some tests in this directory (e.g.
 `css-with-json-parser-breaker`) cover behavior spec-ed outside of CORB (making
@@ -30,7 +40,35 @@ CORB is enabled.  In practice this means that:
      `third_party/WebKit/LayoutTests/FlagExpectations/site-per-process` file.
 * Such tests may fail in other browsers.
 
-The tests in this directory interact with various, random features,
-but the tests have been grouped together into the `fetch/corb` directory,
-because all of these tests verify behavior that is important to the CORB
-algorithm.
+
+### Limitations of WPT test coverage
+
+CORB is a defense-in-depth and in general should not cause changes in behavior
+that can be observed by web features or by end users.  This makes CORB difficult
+or even impossible to test via WPT.
+
+WPT tests can cover the following:
+
+* Helping verify CORB has no observable impact in specific scenarios.
+  Examples:
+  * image rendering of (an empty response of) a html document blocked by CORB
+    should be indistinguishable from rendering such html document without CORB -
+    `img-html-correctly-labeled.sub.html`
+  * CORB shouldn't block responses that don't sniff as a CORB-protected document
+    type - `img-png-mislabeled-as-html.sub.html`
+* Helping document cases where CORB causes observable changes in behavior.
+  Examples:
+  * blocking of nosniff images labeled as non-image, CORB-protected
+    Content-Type - `img-png-mislabeled-as-html-nosniff.tentative.sub.html`
+  * blocking of CORB-protected documents can prevent triggering
+    syntax errors in scripts -
+    `script-html-via-cross-origin-blob-url.tentative.sub.html`
+
+Examples of aspects that WPT tests cannot cover (these aspects have to be
+covered in other, browser-specific tests):
+* Verifying that CORB doesn't affect things that are only indirectly
+  observable by the web (like
+  [prefetch](https://html.spec.whatwg.org/#link-type-prefetch).
+* Verifying that CORB strips non-safe-listed headers of blocked responses.
+* Verifying that CORB blocks responses before they reach the process hosting
+  a cross-origin execution context.

tests/wpt/web-platform-tests/fetch/corb/resources/subframe-that-posts-html-containing-blob-url-to-parent.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script>
+fetch('html-correctly-labeled.html')
+    .then(response => response.blob())
+    .then(blob => {
+        let msg = { blob_size: blob.size,
+                    blob_type: blob.type,
+                    blob_url: URL.createObjectURL(blob) };
+        window.parent.postMessage(msg, '*');
+    })
+    .catch(error => {
+        let msg = { error: error };
+        window.parent.postMessage(msg, '*');
+    });
+</script>

tests/wpt/web-platform-tests/fetch/corb/script-html-via-cross-origin-blob-url.sub.html

@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<!-- Test verifies that cross-origin blob URIs are blocked both with and
+  without CORB.
+-->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+<script>
+async_test(function(t) {
+  function step1_createSubframe() {
+    addEventListener("message", function(e) {
+      t.step(function() { step2_processSubframeMsg(e.data); })
+    });
+    var subframe = document.createElement("iframe")
+    // www1 is cross-origin, to ensure that the received blob will be cross-origin.
+    subframe.src = 'http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/subframe-that-posts-html-containing-blob-url-to-parent.html';
+    document.body.appendChild(subframe);
+  }
+
+  function step2_processSubframeMsg(msg) {
+    assert_not_exists(msg, 'error');
+    assert_equals(msg.blob_type, 'text/html');
+    assert_equals(msg.blob_size, 147);
+
+    // With and without CORB loading of a cross-origin blob should be blocked
+    // (this is verified by expecting |script.onerror|, but not |script.onload|
+    // below).
+    var script = document.createElement("script")
+    script.src = msg.blob_url;
+    script.onerror = t.step_func_done(function(){})
+    script.onload = t.unreached_func("Unexpected load event")
+    document.body.appendChild(script)
+  }
+
+  step1_createSubframe();
+});
+</script>