Add more tests for dangling markup mitigation

Adding more tests per this comment[1]. [1] whatwg/html#10022 (review) Change-Id: Ia3360404630c1c22b1dad14ed930c0517f66b6e7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5362504 Reviewed-by: Jonathan Hao <[email protected]> Reviewed-by: Yifan Luo <[email protected]> Commit-Queue: Jun Kokatsu <[email protected]> Cr-Commit-Position: refs/heads/main@{#1275548}
web-platform-tests · Mar 20, 2024 · 8857216 · 8857216
1 parent d17b37c
commit 8857216
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 29 deletions.
diff --git a/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html b/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html
diff --git a/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.tentative.https.html b/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.tentative.https.html
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  const blank = 'about:blank';
+  const dangling_url = 'resources/empty.html?\n<';
+  const navigation_api_calls = [
+    `window.open(\`${dangling_url}\`,'_self')`,
+    `location.replace(\`${dangling_url}\`)`,
+  ];
+
+  function get_requests(worker, expected) {
+    return new Promise(resolve => {
+      navigator.serviceWorker.addEventListener('message', function onMsg(evt) {
+        if (evt.data.size >= expected) {
+          navigator.serviceWorker.removeEventListener('message', onMsg);
+          resolve(evt.data);
+        } else {
+          worker.postMessage("");
+        }
+      });
+      worker.postMessage("");
+    });
+  }
+
+  navigation_api_calls.forEach(call => {
+    async_test(t => {
+      const iframe =
+        document.body.appendChild(document.createElement('iframe'));
+      t.step(() => {
+        iframe.contentWindow.eval(call);
+        t.step_timeout(() => {
+          assert_false(iframe.contentWindow.location.href.endsWith(blank));
+          t.done();
+        }, 500);
+      });
+    }, `Does not block ${call}`);
+  });
+
+  const dangling_resource = "404?type=text/javascript&\n<"
+  const api_calls = [
+    [`const xhr = new XMLHttpRequest();
+     xhr.open("GET", \`${"xhr" + dangling_resource}\`);
+     xhr.send(null);`, "xhr"],
+    [`new EventSource(\`${"EventSource" + dangling_resource}\`)`,"EventSource"],
+    [`fetch(\`${"fetch" + dangling_resource}\`).catch(()=>{})`, "fetch"],
+    [`new Worker(\`${"Worker" + dangling_resource}\`)`, "Worker"],
+    [`let text = \`try{importScripts(\\\`${location.href + "/../importScripts" + dangling_resource}\\\`)}catch(e){}\`;
+     let blob = new Blob([text], {type : 'text/javascript'});
+     let url = URL.createObjectURL(blob);
+     new Worker(url)`, "importScripts"],
+
+  ];
+
+  navigator.serviceWorker.register('service-worker.js');
+  const iframe = document.createElement('iframe');
+  iframe.src = "resources/empty.html";
+  document.body.appendChild(iframe);
+  api_calls.forEach(call => {
+    promise_test(t => {
+      return new Promise(resolve => {
+        navigator.serviceWorker.ready.then(t.step_func(registration => {
+          iframe.contentWindow.eval(call[0]);
+          get_requests(registration.active, 0).then(t.step_func(requests => {
+            resolve(assert_true(requests.has(call[1] + dangling_resource)));
+          }));
+        }));
+      });
+    }, `Does not block ${call[1]}`);
+  });
+
+  async_test(t => {
+    let url = new URL(location.origin + "/" + dangling_url);
+    // Newlines are removed by the URL parser.
+    assert_true(url.href.endsWith(encodeURI(dangling_url.replace("\n",""))));
+    t.done();
+  }, `Does not block new URL()`);
+</script>
diff --git a/...gling-markup-mitigation-data-url.sub.html → ...up-mitigation-data-url.tentative.sub.html b/...gling-markup-mitigation-data-url.sub.html → ...up-mitigation-data-url.tentative.sub.html
diff --git a/...ng-markup/dangling-markup-mitigation.html → ...dangling-markup-mitigation.tentative.html b/...ng-markup/dangling-markup-mitigation.html → ...dangling-markup-mitigation.tentative.html
diff --git a/...kup/dangling-markup-mitigation.https.html → ...ng-markup-mitigation.tentative.https.html b/...kup/dangling-markup-mitigation.https.html → ...ng-markup-mitigation.tentative.https.html
diff --git a/fetch/security/dangling-markup/service-worker.js b/fetch/security/dangling-markup/service-worker.js
@@ -16,18 +16,24 @@ addEventListener('fetch', evt => {
   const url = new URL(evt.request.url);
   const path = url.pathname;
   const search = url.search || "?";
+  const params = new URLSearchParams(search);
+  const type = params.get('type');
   if (path.includes('404')) {
     const dir = path.split('/');
     const request = dir[dir.length-1] + search;
     if (!requests.has(request)) {
       requests.add(request);
     }
-    evt.respondWith(new Response(""));
+    evt.respondWith(new Response("", {
+      headers: {
+        "Content-Type": type || "text/plain"
+      }
+    }));
   } else if (path.endsWith('resources.html')) {
-    const html = (new URLSearchParams(search)).get('html');
+    const html = params.get('html') || "";
     evt.respondWith(new Response(html, {
       headers: {
-        "Content-Type": "text/html"
+        "Content-Type": type || "text/html"
       }
     }));
   }