Update web-platform-tests to revision d8b8e0b8efe993a37404d6c6fc75e16fdc16b7d8

2025-08-15 02:15:33 +01:00 · 2018-10-25 21:32:39 -04:00 · 2018-10-25 21:32:39 -04:00 · e07315e6af
commit e07315e6af
parent abc0f50d20
221 changed files with 7334 additions and 774 deletions
--- a/tests/wpt/web-platform-tests/fetch/corb/resources/sniffable-resource.py
+++ b/tests/wpt/web-platform-tests/fetch/corb/resources/sniffable-resource.py
@ -0,0 +1,11 @@
+def main(request, response):
+    body = request.GET.first("body", None)
+    type = request.GET.first("type", None)
+
+    response.add_required_headers = False
+    response.writer.write_status(200)
+    response.writer.write_header("content-length", len(body))
+    response.writer.write_header("content-type", type)
+    response.writer.end_headers()
+
+    response.writer.write(body)
--- a/tests/wpt/web-platform-tests/fetch/corb/script-resource-with-json-parser-breaker.tentative.sub.html
+++ b/tests/wpt/web-platform-tests/fetch/corb/script-resource-with-json-parser-breaker.tentative.sub.html
@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- Test verifies CORB will block responses beginning with a JSON parser
+  breaker regardless of their MIME type (excluding text/css - see below).
+
+  A JSON parser breaker is a prefix added to resources with sensitive data to
+  prevent cross-site script inclusion (XSSI) and similar attacks.  For example,
+  it may be included in JSON files to prevent them from leaking data via a
+  <script> tag, making the response only useful to a fetch or XmlHttpRequest.
+  See also https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#Protecting-JSON
+
+  The assumption is that all images, other media, scripts, fonts and other
+  resources that may be embedded cross-origin will never begin with a JSON
+  parser breaker.  For example an JPEG image should always being with FF D8 FF,
+  a PNG image with 89 50 4E 47 0D 0A 1A 0A bytes and an SVG image with "<?xml"
+  substring.
+
+  The assumption above excludes text/css which (as shown by
+  style-css-with-json-parser-breaker.sub.html) can parse as valid stylesheet
+  even in presence of a JSON parser breaker.
+-->
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+<script>
+setup({allow_uncaught_exception : true});
+
+// A subset of JSON security prefixes (only ones that are parser breakers).
+json_parser_breakers = [
+  ")]}'",
+  "{}&&",
+  "{} &&",
+]
+
+// JSON parser breaker should trigger CORB blocking for any Content-Type - even
+// for resources that claim to be of a MIME type that is normally allowed to be
+// embedded in cross-origin documents (like images and/or scripts).
+mime_types = [
+  // CORB-protected MIME types
+  "text/html",
+  "text/xml",
+  "text/json",
+  "text/plain",
+
+  // MIME types that normally are allowed by CORB.
+  "application/javascript",
+  "image/png",
+  "image/svg+xml",
+
+  // Other types.
+  "application/pdf",
+  "application/zip",
+]
+
+function test(mime_type, body) {
+  async_test(function(t) {
+    var script = document.createElement("script")
+
+    // Without CORB, the JSON parser breaker would cause a syntax error when
+    // parsed as JavaScript, but with CORB there should be no errors (because
+    // CORB will replace the response body with an empty body).
+    script.onload = t.step_func_done(function(){})
+    addEventListener("error",function(e) {
+      t.step(function() {
+        assert_unreached("Empty body of a CORS-blocked response shouldn't trigger syntax errors.");
+        t.done();
+      })
+    });
+
+    // www1 is cross-origin, so the HTTP response is CORB-eligible.
+    var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";
+    script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body);
+    document.body.appendChild(script)
+  }, "CORB-blocks '" + mime_type + "' that starts with the following JSON parser breaker: " + body);
+}
+
+mime_types.forEach(function(type) {
+    json_parser_breakers.forEach(function(body) {
+        test(type, body);
+    });
+});
+
+</script>
--- a/tests/wpt/web-platform-tests/fetch/http-cache/304-update.html
+++ b/tests/wpt/web-platform-tests/fetch/http-cache/304-update.html
@ -120,6 +120,36 @@
          }
        ]
      },
+      {
+        name: "Content-* header",
+        requests: [
+          {
+            response_headers: [
+              ["Expires", -5000],
+              ["ETag", "GHI"],
+              ["Content-Test-Header", "A"]
+            ]
+          },
+          {
+            response_headers: [
+              ["Expires", 3000],
+              ["ETag", "GHI"],
+              ["Content-Test-Header", "B"]
+            ],
+            expected_type: "etag_validated",
+            expected_response_headers: [
+              ["Content-Test-Header", "B"]
+            ],
+            pause_after: true
+          },
+          {
+            expected_type: "cached",
+            expected_response_headers: [
+              ["Content-Test-Header", "B"]
+            ]
+          }
+        ]
+      },
    ];
    run_tests(tests);
    </script>