Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-03 12:40:06 +01:00
Code Issues Projects Releases Packages Wiki Activity

Auto merge of #16869 - nox:mime, r=nox

Browse source 
Ignore mime type parameters in nosniff (fixes #16049)

<!-- Reviewable:start -->
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16869)
<!-- Reviewable:end -->
This commit is contained in:
bors-servo 2017-05-15 10:15:37 -05:00 committed by GitHub
commit f3c8f7e0d0
6 changed files with 72 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

8
components/net/fetch/methods.rs
View file

@ -559,10 +559,10 @@ pub fn should_be_blocked_due_to_nosniff(request_type: Type, response_headers: &H
mime!(Text / ("x-javascript")), mime!(Text / ("x-javascript")),
]; ];
javascript_mime_types.contains(mime_type) javascript_mime_types.iter()
.any(|mime| mime.0 == mime_type.0 && mime.1 == mime_type.1)
} }
let text_css: Mime = mime!(Text / Css);
// Assumes str::starts_with is equivalent to mime::TopLevel // Assumes str::starts_with is equivalent to mime::TopLevel
return match request_type { return match request_type {
// Step 6 // Step 6
@ -575,8 +575,8 @@ pub fn should_be_blocked_due_to_nosniff(request_type: Type, response_headers: &H
// Step 7 // Step 7
Type::Style => { Type::Style => {
match content_type_header { match content_type_header {
Some(&ContentType(ref mime_type)) => mime_type != &text_css, Some(&ContentType(Mime(TopLevel::Text, SubLevel::Css, _))) => false,
None => true _ => true
} }
} }
// Step 8 // Step 8

8
tests/wpt/metadata/MANIFEST.json
View file

@ -558502,7 +558502,7 @@
"testharness" "testharness"
], ],
"fetch/nosniff/image.html": [ "fetch/nosniff/image.html": [
"da847d5aa65fc5f52313b4434a84f1938061c7f6", "2b31b5f05d843c55640943e68224cb36a1670a5e",
"testharness" "testharness"
], ],
"fetch/nosniff/importscripts.html": [ "fetch/nosniff/importscripts.html": [
@ -558510,7 +558510,7 @@
"testharness" "testharness"
], ],
"fetch/nosniff/importscripts.js": [ "fetch/nosniff/importscripts.js": [
"90f5f826fcac39388c603e10b6b76d01a9238427", "e7c02b40c457cc5347acb5a13d0ce14268b8187d",
"support" "support"
], ],
"fetch/nosniff/parsing-nosniff.html": [ "fetch/nosniff/parsing-nosniff.html": [
@ -558558,11 +558558,11 @@
"support" "support"
], ],
"fetch/nosniff/script.html": [ "fetch/nosniff/script.html": [
"7701124283e0714ef4229fbc6d63a26f8e5e86b1", "762b6033a5b75465417f9921f7d06781ad036cbe",
"testharness" "testharness"
], ],
"fetch/nosniff/stylesheet.html": [ "fetch/nosniff/stylesheet.html": [
"e2dda6ec5981c40dcad68c933336a0358639eec3", "707b1031fc7594d49b6f1487c8ef71864791ea80",
"testharness" "testharness"
], ],
"fetch/nosniff/worker.html": [ "fetch/nosniff/worker.html": [

16
tests/wpt/web-platform-tests/fetch/nosniff/image.html
View file

@ -3,17 +3,25 @@
<div id=log></div> <div id=log></div>
<script> <script>
// Note: images get always sniffed, nosniff doesn't do anything // Note: images get always sniffed, nosniff doesn't do anything
var passes = ["", "?type=", "?type=x", "?type=x/x", "?type=image/gif", "?type=image/png", "?type=image/png;blah"] var passes = [null, "", "x", "x/x", "image/gif", "image/png", "image/png;blah"]
passes.forEach(function(urlpart) { const get_url = (mime) => {
let url = "resources/image.py"
if (mime != null) {
url += "?type=" + encodeURIComponent(mime)
}
return url
}
passes.forEach(function(mime) {
async_test(function(t) { async_test(function(t) {
var img = document.createElement("img") var img = document.createElement("img")
img.onerror = t.unreached_func("Unexpected error event") img.onerror = t.unreached_func("Unexpected error event")
img.onload = t.step_func_done(function(){ img.onload = t.step_func_done(function(){
assert_equals(img.width, 96) assert_equals(img.width, 96)
}) })
img.src = "resources/image.py" + urlpart img.src = get_url(mime)
document.body.appendChild(img) document.body.appendChild(img)
}, "URL query: " + urlpart) }, "URL query: " + mime)
}) })
</script> </script>

23
tests/wpt/web-platform-tests/fetch/nosniff/importscripts.js
View file

@ -3,15 +3,26 @@ function log(w) { this.postMessage(w) }
function f() { log("FAIL") } function f() { log("FAIL") }
function p() { log("PASS") } function p() { log("PASS") }
["", "?type=", "?type=x", "?type=x/x"].forEach(function(urlpart) { const get_url = (mime, outcome) => {
let url = "resources/js.py"
if (mime != null) {
url += "?type=" + encodeURIComponent(mime)
}
if (outcome) {
url += "&outcome=p"
}
return url
}
[null, "", "x", "x/x"].forEach(function(mime) {
try { try {
importScripts("resources/js.py" + urlpart) importScripts(get_url(mime))
} catch(e) { } catch(e) {
(e.name == "NetworkError") ? p() : log("FAIL (no NetworkError exception): " + urlpart) (e.name == "NetworkError") ? p() : log("FAIL (no NetworkError exception): " + mime)
} }
}) })
importScripts("resources/js.py?type=text/javascript&outcome=p") importScripts(get_url("text/javascript", true))
importScripts("resources/js.py?type=text/ecmascript&outcome=p") importScripts(get_url("text/ecmascript", true))
importScripts("resources/js.py?type=text/ecmascript;blah&outcome=p") importScripts(get_url("text/ecmascript;blah", true))
log("END") log("END")

27
tests/wpt/web-platform-tests/fetch/nosniff/script.html
View file

@ -4,29 +4,40 @@
<script> <script>
var log = function() {}, // see comment below var log = function() {}, // see comment below
p = function() {}, // see comment below p = function() {}, // see comment below
fails = ["", "?type=", "?type=x", "?type=x/x"], fails = [null, "", "x", "x/x"],
passes = ["?type=text/javascript", "?type=text/ecmascript", "?type=text/ecmascript;blah"] passes = ["text/javascript", "text/ecmascript", "text/ecmascript;blah"]
// Ideally we'd also check whether the scripts in fact execute, but that would involve // Ideally we'd also check whether the scripts in fact execute, but that would involve
// timers and might get a bit racy without cross-browser support for the execute events. // timers and might get a bit racy without cross-browser support for the execute events.
fails.forEach(function(urlpart) { const get_url = (mime, outcome) => {
let url = "resources/js.py"
if (mime != null) {
url += "?type=" + encodeURIComponent(mime)
}
if (outcome) {
url += "&outcome=p"
}
return url
}
fails.forEach(function(mime) {
async_test(function(t) { async_test(function(t) {
var script = document.createElement("script") var script = document.createElement("script")
script.onerror = t.step_func_done(function(){}) script.onerror = t.step_func_done(function(){})
script.onload = t.unreached_func("Unexpected load event") script.onload = t.unreached_func("Unexpected load event")
script.src = "resources/js.py" + urlpart script.src = get_url(mime)
document.body.appendChild(script) document.body.appendChild(script)
}, "URL query: " + urlpart) }, "URL query: " + mime)
}) })
passes.forEach(function(urlpart) { passes.forEach(function(mime) {
async_test(function(t) { async_test(function(t) {
var script = document.createElement("script") var script = document.createElement("script")
script.onerror = t.unreached_func("Unexpected error event") script.onerror = t.unreached_func("Unexpected error event")
script.onload = t.step_func_done(function(){}) script.onload = t.step_func_done(function(){})
script.src = "resources/js.py" + urlpart + "&outcome=p" script.src = get_url(mime, true)
document.body.appendChild(script) document.body.appendChild(script)
}, "URL query: " + urlpart) }, "URL query: " + mime)
}) })
</script> </script>

24
tests/wpt/web-platform-tests/fetch/nosniff/stylesheet.html
View file

@ -3,28 +3,36 @@
<script src=/resources/testharnessreport.js></script> <script src=/resources/testharnessreport.js></script>
<div id=log></div> <div id=log></div>
<script> <script>
var fails = ["", "?type=", "?type=x", "?type=x/x"], var fails = [null, "", "x", "x/x"],
passes = ["?type=text/css", "?type=text/css;blah"] passes = ["text/css", "text/css;charset=utf-8", "text/css;blah"]
fails.forEach(function(urlpart) { const get_url = (mime) => {
let url = "resources/css.py"
if (mime != null) {
url += "?type=" + encodeURIComponent(mime)
}
return url
}
fails.forEach(function(mime) {
async_test(function(t) { async_test(function(t) {
var link = document.createElement("link") var link = document.createElement("link")
link.rel = "stylesheet" link.rel = "stylesheet"
link.onerror = t.step_func_done(function(){}) link.onerror = t.step_func_done(function(){})
link.onload = t.unreached_func("Unexpected load event") link.onload = t.unreached_func("Unexpected load event")
link.href = "resources/css.py" + urlpart link.href = get_url(mime)
document.body.appendChild(link) document.body.appendChild(link)
}, "URL query: " + urlpart) }, "URL query: " + mime)
}) })
passes.forEach(function(urlpart) { passes.forEach(function(mime) {
async_test(function(t) { async_test(function(t) {
var link = document.createElement("link") var link = document.createElement("link")
link.rel = "stylesheet" link.rel = "stylesheet"
link.onerror = t.unreached_func("Unexpected error event") link.onerror = t.unreached_func("Unexpected error event")
link.onload = t.step_func_done(function(){}) link.onload = t.step_func_done(function(){})
link.href = "resources/css.py" + urlpart link.href = get_url(mime)
document.body.appendChild(link) document.body.appendChild(link)
}, "URL query: " + urlpart) }, "URL query: " + mime)
}) })
</script> </script>