Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(89)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html

Issue 2634893003: Experiment with blocking resolution of HTTP URLs containing '\n' and '<'. (Closed)
Patch Set: Culling. Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/resources/helper.js ('k') | third_party/WebKit/Source/core/dom/Document.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <script src="/resources/testharness.js"></script>
3 <script src="/resources/testharnessreport.js"></script>
4 <script src="./resources/helper.js"></script>
5 <body>
6 <script>
7 // We're injecting markup via `srcdoc` so, confusingly, we need to
8 // entity-escape the "raw" content, and double-escape the "escaped"
9 // content.
10 var rawBrace = "&lt;";
11 var escapedBrace = "&amp;lt;";
12 var rawNewline = "&#10;";
13 var escapedNewline = "&amp;#10;";
14
15 var abeSizedPng = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEwAAABnAQMAA ACQMjadAAAAA1BMVEX///+nxBvIAAAAEUlEQVQ4y2MYBaNgFIwCegAABG0AAd5G4RkAAAAASUVORK5CY II=";
16 var abeSizedPngWithNewline = abeSizedPng.replace("i", "i\n");
17
18 var should_block = [
19 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?im g=a${rawNewline}b${rawBrace}c">`,
20 `
21 <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?i mg=a
22 b${rawBrace}c
23 ">
24 `,
25 ];
26
27 should_block.forEach(markup => {
28 async_test(t => {
29 var i = createFrame(`${markup}`);
30 assert_img_not_loaded(t, i);
31 }, markup.replace(/[\n\r]/g, ''));
32 });
33
34 var should_load = [
35
36 // `data:` and `javascript:` URLs don't check the content:
37 `<img id="dangling" src="${abeSizedPngWithNewline}">`,
38
39 // Just one or the other isn't enough:
40 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?da ta=a${rawNewline}b">`,
41 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?im g=a${rawBrace}b">`,
42
43 // Entity-escaped characters don't trigger blocking:
44 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?da ta=a${escapedNewline}b">`,
45 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?im g=a${escapedBrace}b">`,
46 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?im g=a${escapedNewline}b${escapedBrace}c">`,
47
48 // Leading and trailing whitespace is stripped:
49 `
50 <img id="dangling" src="
51 http://127.0.0.1:8000/security/resources/abe.png
52 ">
53 <input type=hidden name=csrf value=sekrit>
54 `,
55 `
56 <img id="dangling" src="
57 http://127.0.0.1:8000/security/resources/abe.png?img=${escapedBrace}
58 ">
59 <input type=hidden name=csrf value=sekrit>
60 `,
61 `
62 <img id="dangling" src="
63 http://127.0.0.1:8000/security/resources/abe.png?img=${escapedNewline}
64 ">
65 <input type=hidden name=csrf value=sekrit>
66 `,
67 ];
68
69 should_load.forEach(markup => {
70 async_test(t => {
71 var i = createFrame(`${markup} <element attr="" another=''>`);
72 assert_img_loaded(t, i);
73 }, markup.replace(/[\n\r]/g, ''));
74 });
75 </script>
76
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/resources/helper.js ('k') | third_party/WebKit/Source/core/dom/Document.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698