| Index: third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html
|
| diff --git a/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html b/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..7c3639e5dd143c926efd79d72f543ea06f3ecd5e
|
| --- /dev/null
|
| +++ b/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html
|
| @@ -0,0 +1,76 @@
|
| +<!DOCTYPE html>
|
| +<script src="/resources/testharness.js"></script>
|
| +<script src="/resources/testharnessreport.js"></script>
|
| +<script src="./resources/helper.js"></script>
|
| +<body>
|
| +<script>
|
| + // We're injecting markup via `srcdoc` so, confusingly, we need to
|
| + // entity-escape the "raw" content, and double-escape the "escaped"
|
| + // content.
|
| + var rawBrace = "<";
|
| + var escapedBrace = "&lt;";
|
| + var rawNewline = " ";
|
| + var escapedNewline = "&#10;";
|
| +
|
| + var abeSizedPng = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEwAAABnAQMAAACQMjadAAAAA1BMVEX///+nxBvIAAAAEUlEQVQ4y2MYBaNgFIwCegAABG0AAd5G4RkAAAAASUVORK5CYII=";
|
| + var abeSizedPngWithNewline = abeSizedPng.replace("i", "i\n");
|
| +
|
| + var should_block = [
|
| + `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${rawNewline}b${rawBrace}c">`,
|
| + `
|
| + <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a
|
| + b${rawBrace}c
|
| + ">
|
| + `,
|
| + ];
|
| +
|
| + should_block.forEach(markup => {
|
| + async_test(t => {
|
| + var i = createFrame(`${markup}`);
|
| + assert_img_not_loaded(t, i);
|
| + }, markup.replace(/[\n\r]/g, ''));
|
| + });
|
| +
|
| + var should_load = [
|
| +
|
| + // `data:` and `javascript:` URLs don't check the content:
|
| + `<img id="dangling" src="${abeSizedPngWithNewline}">`,
|
| +
|
| + // Just one or the other isn't enough:
|
| + `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=a${rawNewline}b">`,
|
| + `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${rawBrace}b">`,
|
| +
|
| + // Entity-escaped characters don't trigger blocking:
|
| + `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=a${escapedNewline}b">`,
|
| + `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${escapedBrace}b">`,
|
| + `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${escapedNewline}b${escapedBrace}c">`,
|
| +
|
| + // Leading and trailing whitespace is stripped:
|
| + `
|
| + <img id="dangling" src="
|
| + http://127.0.0.1:8000/security/resources/abe.png
|
| + ">
|
| + <input type=hidden name=csrf value=sekrit>
|
| + `,
|
| + `
|
| + <img id="dangling" src="
|
| + http://127.0.0.1:8000/security/resources/abe.png?img=${escapedBrace}
|
| + ">
|
| + <input type=hidden name=csrf value=sekrit>
|
| + `,
|
| + `
|
| + <img id="dangling" src="
|
| + http://127.0.0.1:8000/security/resources/abe.png?img=${escapedNewline}
|
| + ">
|
| + <input type=hidden name=csrf value=sekrit>
|
| + `,
|
| + ];
|
| +
|
| + should_load.forEach(markup => {
|
| + async_test(t => {
|
| + var i = createFrame(`${markup} <element attr="" another=''>`);
|
| + assert_img_loaded(t, i);
|
| + }, markup.replace(/[\n\r]/g, ''));
|
| + });
|
| +</script>
|
| +
|
|
|
Chromium Code Reviews
Issue 2634893003:
Experiment with blocking resolution of HTTP URLs containing '\n' and '<'. (Closed)
